My journey with rate limit bypasses
Intro
My name is Sirat and bug hunting is my only job, my english is not pretty good, sorry if you have some problems with my grammar, its also my first story ever and I dont care too much about its niceness, I try to explain everything in a very simple way…
As a hacker or BugHunter you should know about rate limits, its used to restrict attackers from brute forcing or throttling, eg if you try to login to victims account with 5 failed login attempts the application limits your login action due you have tried too much login attempts and might you have tried to guess victims credentials, once you limited you have to try again after 10 minutes or 1 or later, you should know what is rate limit know.
As attacker rate limit could be used for spamming, guessing victims credentials, throttling, some times denial service attacks, etc…, search for it if you dont know about it.
Guys who follows me on twitter https://twitter.com/siratsami71 they know that I have shared some bounties about rate limit bypasses.
The bypass methods I write here many of them Ive never seen before in anywhere else.
How rate limit works or recognizes the attackers?
Many rate limits are recognizes the attacker by its IP address, the victims email or username you try to brute force in the login page, the cookies, tokens, HTTP headers, etc…
How to bypass the rate limits or make them don’t recognize us as attacker?
You have to know how the rate limit is working first, if you know then its much easier to bypass it, dont do nothing blindly…
IP address based rate limit bypasses
Thats very useful to secure rate limits, very hard to bypass but still vulnerable, I already know that it could be bypassed by IP rotation and by my experience I know that many programs ignore IP rotation bypasses so how is it possible to bypass it? I have a bypass for it, its still exist in some many websites.
As attacker eg when you try to brute force victims credentials, try to send 1 request per 5 seconds or 10 seconds or even 60 seconds, you can do it with ffuf or intruder, check if the application limits you or not, if the application doesnt rate limit you by sending eg 1 request per 5 seconds you can bypass the rate limit, I know 300 requests is required for poc and sending 5 requests per 1 second is really hard to have an impact with it.
You can install 5 OS’s, eg install 5 linux OS with virtualbox, try to install VPN on them, any of them should have different IP address than other, try to brute force the endpoint with all of them, in this case you brute forcing the endpoint with 1 thread per 5 seconds, all machines together will have 5 threads per 1 second and thats how you can bypass it, I have triaged reports with that case and its still vulnerable.
Email/Username based rate limit bypass
Some rate limits while already detects the attackers IP address or not its still recognizes the attacker by the email or username the attacker brute forces in login pages, eg the victims email address you brute forcing is victim@mail.com
if you try 5 failed login attempts with this email address you’ll be limited.
First you have to know its not an IP address based rate limit, to confirm that you can change the email to any other emails eg change the email from victim@mail.com
to anything@mail.com
if the rate limit still exist it means you recognized by your IP address, if its not then it means the rate limit recognizes you by the used email address and how to bypass it?
To bypass these kind rate limits you should give all your focus on how to make the rate limit dont recognize the email and theres many ways to do it, you can change the email letter cases from victim@mail.com
to VictIM@mail.com
, change the emails font vįctim@mâil.com
, add space or other characters to the email [space]victim@mail.com
victim+@mail.com
+victim@mail.com
, its also known you can bypass it with encoding techniques victim@m%61il.com
victim@m\u0061il.com
, theres many other things to do…
Bypassing captchas that used instead rate limit
Again the common and hardest way to bypass but still vulnerable, the captchas are commonly used for rate limits, its pretty hard to bypass it but still vulnerable if the developer didnt use it correctly…
Captcha bypasses should be done from browser, is the captcha requires you to confirm that you are human or confirms it by itself? if it doesn’t ask you to confirm that you are human then it could be bypassed.
Send 50 requests and check if the captcha still not asking for human confirming, if it doesn’t ask then it means you can brute force the endpoint from browser, if you have good skills with coding you can create a script to brute force the endpoint by itself from the browser, you cant do it with HTTP basic requests since theres a captcha.
If you already have sent 10 requests and the captcha started asking you for human confirmation check the Email/Username based rate limit bypass again.
Some times rate limit and captcha both protecting the endpoint, you might have to bypass both of them.
Bypass rate limits that using cookies
Some rate limits are using the authenticated or unauthenticated cookies to rate limit the attacker, eg when you try brute force in login page the application rate limits you, the rate limit might recognize you by your used cookies, not IP address or used emails.
Actually when I hear cookies that used for rate limits I actually hear a rate limit bypass, using cookies to detect an attacker is worst rate limit ever Ive seen, CloudFlare rate limits the attackers by its cookies btw…
Pretty easy to bypass, when you got the rate limit as attacker, send a request to the application with no cookies so it will give you cookies by itself (in many cases), use the new cookies and the rate limit should no longer exist.
You can collect many unused cookies, use them while brute forcing, its could be done with intruder…
Bypassing rate limits that using tokens
Some rate limits will give a token to any users while sending request to a sensitive endpoint, eg when as attacker when you try to login you might notice a such parameter and value in the requests ?requestid=tokenand123312
Some times these tokens are only used for 1 request, for another login request you need another fresh token, thats could be bypassed if you try to brute force the endpoint from browsers, you can bypass the rate limit if you automate the brute force by having tokens to any requests that you send, LOL…
Bypassing rate limits that using HTTP headers
Some of rate limits are detects the attacker by the HTTP headers, eg The host header or the URL.
As attacker when you got a rate limit, try to remove the HTTTP Host
header or try to edit it Host: victim.com
to Host: VICTIM.com
or Host: anything.victim.com
, you might need to change the URL, eg /login
to /Login
, //login
, /login?dasdasd=asda
Fooling the server to bypass rate limits…
Theres some HTTP headers that could confuse the application server about the attacker who brute forces the endpoint.
A good eg is HTTP X-Forwarded-Host
header, I really dont know what is that used for but all I know is if the application accept that header in the sensitive endpoint you can spoof your IP address, when you got rate limit send a request and add this header X-Forwarded-Host: 222.123.321.32
its not your IP address, but its make the server to think you have visit the endpoint with a different IP address
Spoofing the url is also exist, you can use this header X-Original-Url: https://victim.com/home
when you actually sending request to https://victim.com/login
this header tells the server that its actually not the real endpoint where you sending request to, the endpoint you want to send request to is https://victim.com/home
Theres also other headers you can use to fool the servers.
Bypass and Bypasses and other bypasses…
I dont think theres any guarantee for a rate limit to dont be bypassed, all you need to know is how the targets rate limit logic is working then try to bypass it.
Theres tons of ways to bypass rate limits, Im bypassing rate limits since last year and I can say I have good experience with it but I only explained the ways I have bypassed with, its could be hard to bypass but its never impossible…
This story is to understand how a rate limit could be bypassed, the best way is to mix all the bypasses together while trying to bypass a rate limit.
Here is a good source you can learn more from https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass
My twitter: https://twitter.com/siratsami71