Rate Limit Bypassing Allowing Identity Spoofing

Introduction

While hunting on a program on H1 I needed to register an account to start exploring authenticated requests of the application, tried to register with my phone number but found that it only accepts phone numbers from specific country, so I wasn’t able to use my phone number and had to start attacking from this point only to get an account.

Control

To register an account the application was sending SMS to registered phone number then forcing 3 controls on verification function:

1- Rate limit control that only allows 60 requests per minute.
2- Once exceeding the rate limit IP and phone will be blocked for some time.
3- A number of 6 digits will make brute force more harder.

So we will try to bypass rate limit enforced to increase allowed trials number and get the OTP value sent to the user’s phone.

Bypassing

Rate limiting is an API control that’s set by API developers in order to mitigate attacks such as: Brute Force, Resource Exhaustion Attack, DDOS (Distributed Denial of Service), .. .
It’s often used to protect authentication function such as: Login, Reset Password, Account Verification, 2 Factor Authentication or other function that send message or emails.

Rate Limit Applied for only 60 requests per minute.

To bypass tried different techniques:

1- Changing some of request headers’ values to be different values like: user-agent, getting new cookie, changing source IP address but with no luck.

2- Secondly, tried adding new header with the following value:

X-Forwarded-For: 127.0.0.1

and once done, the response showed increase in the number of allowed trials from 60 to 6000 per minute! this mis-configuration maybe for testing purposes from local host!

Response After Bypassing

Result

That allowed brute force OTP value and spoofing identity of any user by using his phone number if he’s still not registered.

--

--

--

Penetration Tester | Bug Bounty Hunter https://www.linkedin.com/in/t4144t/

Love podcasts or audiobooks? Learn on the go with our new app.

{UPDATE} X War Fighting Hack Free Resources Generator

Protect yourself from CEO fraud

ROslayer IDO Whitelist on Astronaut

NETGEAR routers vulnerable to “root” code execution, no patch yet

Sniffing and Testing using Wireshark, HTTPs, DoH and Pihole/Unbound

ALCHEMY PAY UPDATES AND RECENT DEVELOPMENT

SB 1059 Introduced to Put More Teeth into California Data Broker Law

{UPDATE} Slots Vacation Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohamed Talaat (@T4144t)

Mohamed Talaat (@T4144t)

Penetration Tester | Bug Bounty Hunter https://www.linkedin.com/in/t4144t/

More from Medium

Security Vulnerability called DLL Injection on Micro Focus’ NetIQ SecureLogin 9.0 Application

Assymetric Cryptography

CSRF prevention: Control your TLDs

Kerberos Network Authentication Service