Bypassing rate limit abusing misconfiguration rules
This time I’ll share with you how I was able to bypass rate limit implemented on all forms in a private program so let’s get started :)
A little bit about Rate Limit:
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache.
In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code429: Too Many Requests.
In the discovery process I noticed that all application functions were protected by rate limit, so I started thinking about how to ignore this algorithm implemented by the company, because once ignored, I could perform brute force attacks on multiple application functions, such as:
- Create multiple users through brute force
- Bruteforce attacks on Sign In page
- 2FA bypass (unfortunately the application did not implement 2FA methods)
Trigger rate limit algorithm purposefully and then change my IP. When performing such test, I was able to send 4 more requests, after that, I was blocked again.
Did you notice anything?
With this test, I got a sense that rate limit rule was being implemented by IP. I was able to identify that every 4 Requests the IP was blocked. We can now assume that the application is constantly checking how many requests we make through our remote IP.
I immediately thought of a second possibility: A common error in implementing a rate-limit rule is that sometimes the rule is created to block brute force attacks from remote Ips with the exception of IP 127.0.0.1 (localhost)
Add to HTTP Request Header X-Remote-IP: 127.0.0.1
And … Rate Limit Bypass successfully completed!
This opened up several possibilities such as: Perform brute force on login page (which was protected with rate limit)
Perform password change spam:
If the application had two-factor authentication, we could also perform this attack on users password, but unfortunately there was no such mechanism enabled :(
There’s a Burp Suite extension that automatically inserts the bypass headers into all your HTTP requests, you can find it here
It’s a way for you to perform burp intruder attacks without having to manually insert headers in every request you make. The attack would look like this:
Finally, I would like to thank the whole bug bounty community, it’s always a great pleasure to learn with all of you :)
Hope you liked it!
Find me here.