Bypassing rate limit abusing misconfiguration rules

Daniel V
Daniel V
Feb 15, 2019 · 3 min read
Image for post
Image for post

Hello Friends,

This time I’ll share with you how I was able to bypass rate limit implemented on all forms in a private program so let’s get started :)

A little bit about Rate Limit:

A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.

In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code429: Too Many Requests.

Image for post
Image for post

Discovery Phase:

In the discovery process I noticed that all application functions were protected by rate limit, so I started thinking about how to ignore this algorithm implemented by the company, because once ignored, I could perform brute force attacks on multiple application functions, such as:

  • Create multiple users through brute force
  • Bruteforce attacks on Sign In page
  • 2FA bypass (unfortunately the application did not implement 2FA methods)

First attempt:

Trigger rate limit algorithm purposefully and then change my IP. When performing such test, I was able to send 4 more requests, after that, I was blocked again.

Did you notice anything?

With this test, I got a sense that rate limit rule was being implemented by IP. I was able to identify that every 4 Requests the IP was blocked. We can now assume that the application is constantly checking how many requests we make through our remote IP.

Interesting…

I immediately thought of a second possibility: A common error in implementing a rate-limit rule is that sometimes the rule is created to block brute force attacks from remote Ips with the exception of IP 127.0.0.1 (localhost)

Second attempt:

Add to HTTP Request Header X-Remote-IP: 127.0.0.1

And … Rate Limit Bypass successfully completed!

Attack Scenarios:

This opened up several possibilities such as: Perform brute force on login page (which was protected with rate limit)

Image for post
Image for post

Perform password change spam:

Image for post
Image for post
Image for post
Image for post

If the application had two-factor authentication, we could also perform this attack on users password, but unfortunately there was no such mechanism enabled :(

Tips:

There’s a Burp Suite extension that automatically inserts the bypass headers into all your HTTP requests, you can find it here

It’s a way for you to perform burp intruder attacks without having to manually insert headers in every request you make. The attack would look like this:

Image for post
Image for post

Finally, I would like to thank the whole bug bounty community, it’s always a great pleasure to learn with all of you :)

Hope you liked it!

Find me here.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade