SMS/Email Bombing
Hello Friends,
This is my 26th blog on web application security penetration testing. In this blog I will explain about SMS or Email Bombing Attack.
In my last blog, I have explained about HTML Injection. Hope everyone liked it. If you haven’t read it yet please follow along.
This blog maybe interesting for newbies but for every cybersecurity professional it’s very easy to find and report. But trust me this kind of simple bugs can pay us bounty or Hall of fame on Bugcrowd or Hackerone and reported as P4 (Informational). But most of the time it’s marked as a duplicate if reported earlier.
Here is the proof of evidence attached below from Bugcrowd. I have reported this long back so I didn’t know whether it is still accepted as valid bug or not. but still in the Bugcrowd VRT it’s showing as a P4.
So let’s not waste time and jump into step by step POC. I am demonstrating two POC’s here, One for SMS Bombing/Triggering and another one for Email Bombing/Triggering.
Variant 1: SMS Bombing:
- Let’s say on redacted.com I have captured the request in Burp Suite proxy tool to verify Mobile number with received OTP. Below is the captured request looks like.
2. Send the captured request to Burp Intruder. Select the position of the payloads as shown below:
3. Hit the payload with payload count= million/thousands. I have tested using less count 1000.
4. After thousands of requests, the user will receive SMSs/OTPs up to 100. Most of the requests are dropped with response code “204 (No Content)”.
5. Every 10+ seconds, the user was receiving the OTP. I had received few OTPs at 12.22 PM and it kept coming till next 2 hours, with a little span of time in between.
Note: As API is getting called you can also report it as “No rate limiting on API calls”.
Impact SMS Flooding:
An attacker may send thousands of SMSs to the genuine users of the web application and create the impression that the organization is under attack. As the organization pays for every SMS/OTP the web application send to the user, this will cause a financial loss to the organization.
Recommendation SMS Flooding:
It is recommended to implement proper validation on rate limit. It is also recommended to set limit on number of SMS/OTP’s the user can request per day/hour.
Variant 2: Email Flooding:
- Navigate to the Forgot Password Page. Enter email to get password reset link via email.
2. Enter email ID and click on Submit button. Capture the request in web proxy tool.
3. Move the request to Intruder to automate the attack.
4. Set the payload Positions to any random string as demonstrated in earlier SMS bombing attack and set the number of payload to launch the attack.
5. Launch the attack which basically sending password reset link 100 times to the user’s email.
Impact of Email Flooding:
There are three methods of email bombing: Mass mailing, List linking and ZIP bombing.
Mass mailing involves sending several duplicate emails to the same address but can be easily detected by spam filters.
The second, List linking, involves subscribing the target email address to different email list subscriptions. The user would always receive spam mail from all these subscriptions and will have to manually unsubscribe from each list separately.
Email bombing done using ZIP archived attachments containing millions and billions of characters is known as ZIP bombing.
Mail servers checking the mail with anti-virus software would require a greater amount of processing power, possibly resulting in Denial of service attack. [Additional Information]
Email flooding has various impacts like,
1. Email server gets busy in sending large number of emails, If attacker configured payload to send huge amount of emails to victims.
2. If attacker decides to trouble users by generating many emails/by email bombarding, how can a user can safely browse for the next time.
3. E-mail bombs hack may create Denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space.
Recommendations of Email Bombing:
While you cannot eliminate the chances of being email bombed, there are some preventive & protective measures you can take to reduce their effect. Here are some of them:
1. Rate limiting should be implemented.
2. Use request-based token.
3. Use of captcha.
You can implement the following countermeasures as an additional layer of security for your e-mail systems:
· Tarpitting: Tarpitting detects inbound messages destined for unknown users. If your e-mail server supports Tarpitting, it can help prevent spam or DoS attacks against your server. If a predefined threshold is exceeded — say, more than ten messages — the Tarpitting function effectively shuns traffic from the sending IP address for a period.
· E-mail firewalls: E-mail firewalls and content-filtering applications from vendors can go a long way towards preventing various e-mail attacks. These tools protect practically every aspect of an e-mail system.
· Perimeter protection: Although not e-mail-specific, many firewalls and IPS systems can detect various e-mail attacks and shut off the attacker in real time. This can come in handy during an attack.
· CAPTCHA: Using CAPTCHA on web-based e-mail forms can help minimize the impact of automated attacks and lessen your chances of e-mail flooding and denial of service. These benefits come in handy when scanning your websites and applications.
Please do like and follow for more reads!
Thank!
