No Rate Limiting on Email-Triggering

Description

The website can have Email-Triggering End Point, which means the email can be sent to a given mail id by the web application with some pre-defined or dynamic mail content.

If there is no Rate Limiting on such functionality, An attacker can misuse it to do Email bombing

Email bombing means sending a large number of duplicate emails to the same email id.

Example

for an e.g., the website may have a subscribe button. subcribe form example when user fill his email id and click on subscribe button, the user gets an email from that website, like

Thank you for subscribing. Bla bla bla...

An attacker can misuse this and send a large number of emails to the victim within a small amount of time. Due to such Email bombing victim may miss some vital mail in between these duplicate emails.

Impact

  • An attacker can put the victim in trouble by Email bombing.
  • Wastage of resources.
  • Generally, websites use 3rd party Email Services (like Mailgun, Mailchimp, Mail jet), which costs per mail transaction. So there can be a financial loss.

Prevention

  • Implement rate-limiting in your application based on source IP as well as active session.
  • Block that IP / Session if you are getting multiple requests even after sending 429 Too Many Requests response.