The Rate Limit bypass which almost killed my brain
My name is Sirat, im an active bug hunter on hackerone.
I have previously shared some rate limit stories and how to bypass them, today I would like to share another story about a rate limit that I almost made me go crazy and lost my mind…
The target
Its just a common login endpoint /login and you have to login with username and password.
I have already bypassed the email based rate limit by adding a space to the email, all was left was the secondary rate limit.
How does the rate limit works
Now first of all you must know how the secondary rate limit works to bypass it, it was a huge boss that made to protect the login page.
The rate limit doesn’t recognize me by email username or cookie or anything else, it was recognizing my by the IP, it was already vulnerable to IP rotation but as you know many programs doesn’t accept IP ropation.
I was only able to submit less than 4 threads per second, if i make the thread 5 or 10 the rate limit hits and all I was trying was just adding more threads, Im already familiar with the program and I know they won’t accept a brute force attack which only exploitable by submitting 1 request per 1 second.
Finding the key
After diggin too deep, I found that if i get rate limit from this endpoint /login I can still submit requests from /login/ by adding only an extra slash.
After realizing it, I thought that I may add an extra slash to each requests in the brute force, but whatever I try by adding slashes parameters or headers, I can only submit logins from /login/ while getting rate limited from /login
Looking for a revenge
I have done many things and all of them was useless, i was almost disappointed, after a few hours, something came to my mind.
Do you remember I explained about adding more threads to the brute force attacks by using different ip addresses?
It was very similar to it, but as I said I must do it with same IP address, so what I did is I added threads by brute forcing from the 2 different endpoints /login and /login/ instead of different IP addresses.
Final exploitation
Here is the steps and how to do so:
- add the login request
POST /login HTTP/1.1to intruder - now add same request with the second path to another intruder tab
POST /login/ HTTP/1.1
As you see there’s only an extra slash - now set 4 threads per 1 second for both intruder tabs
- execute both intruder tabs, now you already brute forcing the victims credentials with 8 threads, since the rate limit is different for both endpoints and you doesn’t submit more than 4 threads for each of them, you have 8 threads total and the brute force is much faster
- it was all.
I hope you enjoyed the story, don’t forget to follow my twitter account @siratsami71
