During the application test, it was observed that some modules allows user to send email to the other users for update progress, report defects and so on.
E.g.: From User Site:
- Requirements > Requirements > Send by Email
- Testing > Testing Resources > Send by Email
- Testing > Business Components > Send by Email
- Testing > Test Plan > Send by Email
- Testing > Test runs > Send by Email
- Defects > Send by Email
The application doesn't check whether the request is submitted by human or robot, therefore, the request can be replayed.
Malicious users will be able to abuse the function to cause the mail server to overload. This might cause the mail server to overload as the mail server will send an email to the registered user's email address for each particular request if successful.
It is recommended to implement one-time random and unique nonce per request, so that server could verify the POST response is associated with the particular POST request to prevent replay of packet.