This Easy Bug will help you Earn Your first Bounty

4 min readMar 25, 2023

“بسم الله الرحمن الرحيم”
“اللهم صلي وسلم وبارك علي نبينا محمد”

“In the name of God, the most gracious, the most merciful”
“May Allah’s blessings and peace be upon our Prophet Muhammad”

Introduction

Bounty programs have become an increasingly popular way for companies to identify and fix vulnerabilities in their software. These programs reward individuals who discover and report security issues, and many researchers have been able to earn a substantial amount of money by participating in them. However, for those who are new to the field, it can be difficult to know where to start. In this article, we will explore a bug that could help you earn your first bounty and provide some tips for getting started with bug hunting.

The Bug

The “No Rate Limiting on Form” vulnerability occurs when a web form does not have any rate limiting or other protections in place to prevent automated submissions. This can allow an attacker to submit a large number of form submissions in a short amount of time, which can be used to launch brute-force attacks against usernames, passwords, and other sensitive information.

For example, let’s say a website has a login form that allows users to enter their username and password. If the website does not have any rate limiting in place, an attacker could use a script or tool to automate the process of submitting login attempts using a list of common usernames and passwords. This can be a very effective way for an attacker to gain access to a user’s account, especially if the user has chosen a weak or easily guessable password.

Getting Started

If you are a bug hunter looking to identify the “No Rate Limiting on Form” vulnerability, the first step is to identify a website that has a form that is vulnerable to automated submissions. This could include login forms, contact forms, registration forms, and other types of forms that accept user input.

Once you have identified a vulnerable form, the next step is to try to submit a large number of automated form submissions. This can be done using a variety of tools and scripts, such as Burp Suite, OWASP ZAP, or custom scripts written in Python or another scripting language.

If you are able to successfully submit a large number of automated form submissions, you may have identified a “No Rate Limiting on Form” vulnerability. Be sure that some websites may exclude these types of vulnerabilities from the scope, So read the scope well before testing!

Impact

No rate limiting on a form that triggers email can result in reputational damage for the business as customers’ trust is impacted through receiving large amounts of unwanted and unsolicited emails. This also creates the risk of the email address domain being added to a spam list.
Trouble to the users on the website because huge email bombings can be done by the attackers within seconds. If you are using any Email Service Software API or some tool that costs you for your Email this type of Attack can result in you In Financial Lose and it can also Slow Down your Services it can take up the bulk of storage In sent Mail although if users are affected by this Vulnerability they can stop using your Services which can Lead to Business Risk.
Additionally, for systems that use Software-as-a-Service (SaaS) email providers, there can be direct financial costs associated with sending large volumes of emails to unconfirmed user’s emails.

Testing on Real Target

We will test on a private program on bugcrowd, As we know we will name it “target” for privacy purposes!

Identifying Sign-up form

Opening the Main website we can observe that Sign-up button to make an account!

I will choose a role and continue!

Filling the form

After filling out the form observe that the E-Mail that I need to specify for testing is bugcrowdninja Email and the number after it is for making more than one account that will be interested through the intruder!

Send the form and Intercept the request then send it to the intruder!

Iterating the Request

After sending the request to the intruder, I will only mark the number after the email itself for choosing the number Payload type for treating this number for making more than 400 Accounts due to Bugcrowd PoC!