No rate limit vulnerability on signup page

Vulnerable url : https://www.mollie.com/dashboard/signup?lang=en

##Description

When signing up for an account, you enter your email. It will send activation link to email adderss.

User can able to register with multiple email id at a time.

Steps to reproduce :

1. Goto signup page.
2. enter username email password in signup form.(used different temporary mails).
3. turn intercept on before clicking on create account
4. your request eill look like

POST /dashboard/signup?lang=en HTTP/1.1
Host: www.mollie.com
Cookie: m_locale=en; mollieIdTmp=6837f7f0d1bf99e5434d76d2; _gcl_au=1.1.1423436540.1650206093; __gtm_referrer=https%3A%2F%2Fwww.google.com%2F; initialTrafficSource=utmcsr=google|utmcmd=organic|utmccn=(not set)|utmctr=(not provided); _uetsid=8d516310be5b11ecb389771db54995fd; _uetvid=8d515510be5b11ec887e6513bc99be68; _ga=GA1.2.885996367.1650206097; _gid=GA1.2.131169964.1650206097; m_session_type=active; __hstc=72412236.a66793343f496a638fc8758eff07e6c0.1650206097736.1650206097736.1650206097736.1; hubspotutk=a66793343f496a638fc8758eff07e6c0; __hssrc=1; __hssc=72412236.1.1650206097736; SESSIONID=qg342jiaortltsagau2njbqsu0; _gat=1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 697
Origin: https://www.mollie.com
Referer: https://www.mollie.com/dashboard/signup?lang=en
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

_formtoken=adadedd1d57312b4a3c0d69ac0f1cc346b9eda5f41ab7de48f5e8c791004086680adfe2d5f7fa075&ga-cid=&onboarding=dashboard&meta-data=%7B%22browserLanguage%22%3A%22en-US%22%2C%22screenResolution%22%3A%221920x1080%22%2C%22browser%22%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A99.0%29+Gecko%2F20100101+Firefox%2F99.0%22%7D&first_name=abc&last_name=def&business_location=IN&email=qkfvlio446%40provocateurmedia.xyz&password=1234cvAefw&email_opt_in=1&rcToken=HFbGlofxBODBMWX1ldQkNMQwgjCQF3fGw_DgkSOGs4OjdvPXJ1Kx16BjJRPS1hel5PUhkPHw0bbg0eJ1ZRNUovKA15AT8aKz5BKH0yenEwN11oaH49T2AIFmNZWFtBT0dIWnQaEwJIMW9RSVEpa01hYjRsZGJZPjAVNzp0aGYpGxMSSW1TeklsHGNBFkMHCxt7Smt2YRZgRCt-PXZ1LBo&phone-number=

5. send to intruder. make sure that attack type is sniper.

6. click on clear$ and select email and click on add$.

7. goto payload section. select payload type is simple list. Copy different emails from temp mail and paste in payload options. click on start attack.

8. check on inbox of those mails. you will recive activation link in multiple mail .

Impact on Organization:

· It can annoy any individual who even did not registered on your organization but got the registration email.

· It can lead to financial loss in case any of your business client employees and himself getting these types of mails.

· It can lead to Business risk.

· The reputation of company can be impacted, as the individual can think that the organization is not concern about their security. SO it will be a negative impact of the organization in people’s mind

Mitigation/Solution

· I would recommend you to add captcha on registration page.

· This vulnerability is also on forgot password page, so we should also add captcha at forget password page.

· We can also limit the number of request for forget password.