0

Our rails application has a feature where admin can from trigger sending verify email to users that haven't been verified yet but not to verified ones.

However, it was pointed out that by intercepting this PUT request and modifying the id to another one it was possible to send verify email even to the already verified users thereby confusing them.

How do I make sure that I can find out that the request was tampered with.

I can keep track of the users sent invites to and how many times but it still doesn't solve the problem that anyone can trigger an email to anyone if the know or guess their user id which again is visible from in the user details page in the format users/17.

I'm not sure how do I solve this problem.

thebenman
  • 101
  • 2
  • 2
    You have the fundamentally wrong approach. You have been told "Your house key is under the doormat. This is insecure." and your immediate reaction is "How can I prevent people from lifting my doormat?" –  Oct 21 '19 at 12:47

1 Answers1

3

You can't really stop a user from manipulating incoming requests. If you somehow manage to stop burp from working, an attacker can use CURL, or manipulate the request via the browser.

You could make it more complex to manipulate requests by obfuscating them, but that doesn't add any real value.

You could also use some sort of signing mechanism where a signature of the user ID must always be sent alongside the ID. But that would just move the problem to another location (when the ID and signature are requested, you still need to decide for which users to give it out).

The proper solution here is server-side validation. When receiving a request for a verification email, check if the user with the given ID has already received one and that the user who issued the request has the permission to request verification mails for the given ID.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Your last comment is generally helpful, but may not be correct here. From the question: `still doesn't solve the problem that **anyone** can trigger an email to anyone if the know or guess their user id` (emphasis mine). Could be that the OP just misspoke, but I wouldn't take it as a given that other aspects of the system are properly secured. – Conor Mancone Oct 21 '19 at 13:30
  • @ConorMancone I misread that. You are right, that doesn't sound good. Users can likely spam other users with emails in other ways (password reset comes to mind) so the impact is still not that high. But that does sound like an authorization problem. – tim Oct 21 '19 at 13:54