Bypass Rate Limit
I want to share a simple vulnerability that I find most of the time when I do bug bounty.
For all beginners, I would suggest whenever you try to find bugs in the website; you must try rate limit vulnerability, which is easy to find & more comfortable.
What is rate limit?
A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.
Last Sunday I got an invite from a private program on bugcrowd, so I started looking for vulnerabilities.
As usual, I start with rate limit on login form or on a email verification endpoints.
But it was protected with rate limit :(
So decided to bypass it
We All know X-Forwarded-For: IP is commonly used to bypass rate limiting.
So I tried with X-Forwarded-For: IP but no luck :(
I put all of this payloads X-Originating-IP: 127.0.0.1, X-Forwarded-For: 127.0.0.1, X-Remote-IP: 127.0.0.1, X-Remote-Addr: 127.0.0.1 still no luck:(
I got frustrated and typed random words in this payload X-Forwarded-For: asdfgd and boom It worked :)
Immediately created a POC and reported to the program.
After two days program rewarded me $300.
But the story doesn't end here after a 1-month program changed the vulnerability status to resolved.
So I thought let's see what they implemented in a fix, and lucky they were using IP-based blocking which can bypass by rotating proxies.
What is a rotating proxy?
A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection. That means you can launch a script to send 10,000 requests to any number of sites and get 10,000 different IP addresses.
I use AWS API Gateway with IP Rotate Burp Extension, It is easy to use & the main point is no coding required.
So one more time, I was able to bypass it and the program rewarded me $300 again.
If you don't have an AWS account, you can use https://proxyland.io/ - No Credit Card Required, but you may have to create a PHP code for this as it doesn't integrate with IP Rotate Burp Extension.
Always test the vulnerabilities which are patched.
Use the burp suite extension that automatically inserts the bypass headers. https://portswigger.net/bappstore/ae2611da3bbc4687953a1f4ba6a4e04c
Hope you liked it! ❤️