Davinder Tutorials

This blog is all about Cyber Security and IT

Sunday, April 17, 2022

Top Tricks for Rate Limit Bypass - Bug Hunting

  April 17, 2022    

We have  some headers which can be used to Bypass Rate Limitation. All you have to do is to Use the Header just under the Host Header in the Request.


Use the following Header just Below the Host Header

X-Forwarded-For: IP

X-Forwarded-IP: IP

X-Client-IP: IP

X-Remote-IP: IP

X-Originating-IP: IP

X-Host: IP

X-Client: IP


#or use double X-Forwarded-For header

X-Forwarded-For:

X-Forwarded-For: IP



Example Use

X-Forwarded: 127.0.0.1

X-Forwarded-By: 127.0.0.1

X-Forwarded-For: 127.0.0.1

X-Forwarded-For-Original: 127.0.0.1

X-Forwarder-For: 127.0.0.1

X-Forward-For: 127.0.0.1

Forwarded-For: 127.0.0.1

Forwarded-For-Ip: 127.0.0.1

X-Custom-IP-Authorization: 127.0.0.1

X-Originating-IP: 127.0.0.1

X-Remote-IP: 127.0.0.1

X-Remote-Addr: 127.0.0.1



Rate Limit Bypass using Special Characters


  • Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
  • Try adding a Space Character after a Email. ( Not Encoded )
  • Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
  • Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/

Using IP Rotate Burp Extension

Try changing the user-agent, the cookies... anything that could be able to identify you

If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers

Burp Suite's Extension IP Rotate works great in most of the cases. Make sure you have Python installed along.

Here You'll everything you need - https://github.com/PortSwigger/ip-rotate


Example Report Submitted by Bug Hunter for Rate Limit Bypass

https://hackerone.com/reports/1067533

I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header X-Forwarded-For: 127.0.0.1 which will bypass the rate limit and reset request limits . Every time rate limit exceeded just change IP to another one and rate limit will itself reset.

Step to Reproduce:

Visit https://www.trycourier.app/

Goto email section

Enter victims email address

Fire-up burp-suite and intercept the request

Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For:127.0.0.1 header. This will easily reset rate limit. You can change IP address to 127.0.0.2 ,3,4,5,6 every time website blocked you.

( With this bypass you can easily send unlimited amount of huge email notification to victim and make victim annoying )

Impact

  • Brute forcing login panel
  • Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
  • Brute force OTP codes etc.

 

  No Comments

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)