Missing rate limit in signup Form

vulnerable url : https://secure.virtru.com/dashboard-v2/login/?alternativeUrl=true&loginPlatform=dashboard&loginRedirectUrl=https%3A%2F%2Fsecure.virtru.com%2Fdashboard-v2%2Forg-settings&prompt=true#_

##Description

When signing up for an account, you enter your email. It will send activation link to email adderss

This in not a problem, but the fact that you could send this request unlimited times is the issue.

Steps to reproduce :

1. goto signin page.
2. take temporary email from given link : qkfvlio446@provocateurmedia.xyz i have taken this email id.
3. paste this id in signup box. before hit enter turn intercept on in burpsuite.
4. your request will look like

POST /accounts/api/email-login HTTP/2
Host: api.virtru.com
Cookie: amplitude_id_d34d3d2c70eb854183143c56c470dcb4virtru.com=eyJkZXZpY2VJZCI6IjhlMmY4ZGQyLTBhMTEtNDc0NS1iYjk2LTg5NTZkMDZiYjhiNFIiLCJ1c2VySWQiOiJjaGFuZHJ1Z2c1MTFAZ21haWwuY29tIiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxNjQ5NTg0ODIyNjQ2LCJsYXN0RXZlbnRUaW1lIjoxNjQ5NTg0ODM1NjI0LCJldmVudElkIjoyMywiaWRlbnRpZnlJZCI6NSwic2VxdWVuY2VOdW1iZXIiOjI4fQ==; _ga=GA1.2.202422639.1649160291; _gcl_au=1.1.310350741.1649166104; _biz_uid=7c073ae73065404bc7ab8cb6ff9ab610; _biz_nA=4; _biz_pendingA=%5B%5D; _biz_flagsA=%7B%22Version%22%3A1%2C%22ViewThrough%22%3A%221%22%2C%22XDomain%22%3A%221%22%7D; _clck=1ocww53|1|f0i|0; __hstc=150987305.dcb7bc002962b3bdb41744143ccf2504.1649166106869.1649576596576.1649584823384.3; hubspotutk=dcb7bc002962b3bdb41744143ccf2504; _uetvid=226b6960b4e611ecb1b0cf072b445ee3; appIdBundle-1ec2de89–7d51–41cf-887a-4e5eafe1cca8=%7B%22appId%22%3A%221277dbe5–5378–4762-a827–2243ab1fd917%22%2C%22authorizedDomains%22%3A%5B%22accounts.virtru.com%22%2C%22accounts.production.virtru.com%22%2C%22accounts-production01.virtru.com%22%2C%22acm.virtru.com%22%2C%22acm.production.virtru.com%22%2C%22acm-production01.virtru.com%22%2C%22events.virtru.com%22%2C%22events.production.virtru.com%22%2C%22events-production01.virtru.com%22%2C%22api.virtru.com%22%5D%2C%22emailActivationLink%22%3A%7B%22expirationDateTime%22%3A%222022–04–18T08%3A52%3A55.118Z%22%2C%22firstHalfLinkId%22%3A%22665f4523-a941–48cf-abb2-e2bbed251789%22%7D%2C%22platform%22%3A%22web_login%22%2C%22state%22%3A%22pending%22%2C%22userId%22%3A%22kilteturku%40vusra.com%22%2C%22timestamp%22%3A%222022–04–17T08%3A52%3A55.147Z%22%7D; appIdBundle-47975abd-ed88–48d0-a359–1969e9a0164a=%7B%22appId%22%3A%22771a5e3d-18f9–4449-bcc8–68caaa77900a%22%2C%22authorizedDomains%22%3A%5B%22accounts.virtru.com%22%2C%22accounts.production.virtru.com%22%2C%22accounts-production01.virtru.com%22%2C%22acm.virtru.com%22%2C%22acm.production.virtru.com%22%2C%22acm-production01.virtru.com%22%2C%22events.virtru.com%22%2C%22events.production.virtru.com%22%2C%22events-production01.virtru.com%22%2C%22api.virtru.com%22%5D%2C%22emailActivationLink%22%3A%7B%22expirationDateTime%22%3A%222022–04–18T08%3A57%3A34.640Z%22%2C%22firstHalfLinkId%22%3A%228668007b-bc1d-4ae3–9208-b63b52f3c474%22%7D%2C%22platform%22%3A%22web_login%22%2C%22state%22%3A%22pending%22%2C%22userId%22%3A%22kilteturku%40vusra.com%22%2C%22timestamp%22%3A%222022–04–17T08%3A57%3A34.672Z%22%7D; appIdBundle-bc903743–146f-4b0a-8ed7-d10762343461=%7B%22appId%22%3A%22c8866b31–9dd2–44ca-a936-b3cda8ca8467%22%2C%22authorizedDomains%22%3A%5B%22accounts.virtru.com%22%2C%22accounts.production.virtru.com%22%2C%22accounts-production01.virtru.com%22%2C%22acm.virtru.com%22%2C%22acm.production.virtru.com%22%2C%22acm-production01.virtru.com%22%2C%22events.virtru.com%22%2C%22events.production.virtru.com%22%2C%22events-production01.virtru.com%22%2C%22api.virtru.com%22%5D%2C%22emailActivationLink%22%3A%7B%22expirationDateTime%22%3A%222022–04–18T09%3A00%3A22.649Z%22%2C%22firstHalfLinkId%22%3A%22781c7fa5–24a0–4dc3-a6f1–653eb0b97829%22%7D%2C%22platform%22%3A%22web_login%22%2C%22state%22%3A%22pending%22%2C%22userId%22%3A%22zortokurta%40tozya.com%22%2C%22timestamp%22%3A%222022–04–17T09%3A00%3A22.679Z%22%7D; appIdBundle-9f63ce21–4621–4e15–9a19–2319db5eb9e6=%7B%22appId%22%3A%22d5a8cdd5–9759–4667-a775–528d0dbf0956%22%2C%22authorizedDomains%22%3A%5B%22accounts.virtru.com%22%2C%22accounts.production.virtru.com%22%2C%22accounts-production01.virtru.com%22%2C%22acm.virtru.com%22%2C%22acm.production.virtru.com%22%2C%22acm-production01.virtru.com%22%2C%22events.virtru.com%22%2C%22events.production.virtru.com%22%2C%22events-production01.virtru.com%22%2C%22api.virtru.com%22%5D%2C%22emailActivationLink%22%3A%7B%22expirationDateTime%22%3A%222022–04–18T09%3A02%3A59.854Z%22%2C%22firstHalfLinkId%22%3A%22628d7bb4-e93f-4295–9ac2–985fe8f39344%22%7D%2C%22platform%22%3A%22web_login%22%2C%22state%22%3A%22pending%22%2C%22userId%22%3A%22fbgqcyu509%40provocateurmedia.xyz%22%2C%22timestamp%22%3A%222022–04–17T09%3A02%3A59.885Z%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://secure.virtru.com/
Content-Type: application/json
Origin: https://secure.virtru.com
Content-Length: 118
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

{“emailAddress”:”qkfvlio446@provocateurmedia.xyz”,”redirectUrl”:”https://secure.virtru.com/dashboard-v2/org-settings"}

5. send to intruder

6. clear $

7.search Accept-Language: en-US,en;q=0.5 and select only 5 and hit add$

make sure attack type is sniper.

8. goto payload section choose payload type as number. In payload options set from 1 to 200 step 1.

9. hit on start attack

10 . goto temp email inbox

you can see 200 activation mails.

POC : Screenshot attached above

Solution -

I Will Recommend You To Add A ReCaptcha & Sort Of Something Which Requires Manual Human Interaction To Proceed Like You Can Add Captcha Like 2+2=___ so that it cannot be brute forced and you also can have a limit at the backend for particular number upto 5 times a day user can request Forget Password Email or Link something like that will prevent you from someone exploiting this vulnerability.

Impact

If You Are Using Any Email Service Software API Or Some Tool Which Costs You For Your Email This Type Of Attack Can Result You In Financial Lose And It Can Also Slow Down Your Services It Can Take Bulk Of Storage In Sent Mail Although If Users Are Affected By This Vulnerability They Can Stop Using Your Services Which Can Lead To Business Risk