Rate Limit Bypassing Allowing Identity Spoofing

Introduction

While hunting on a program on H1 I needed to register an account to start exploring authenticated requests of the application, tried to register with my phone number but found that it only accepts phone numbers from specific country, so I wasn’t able to use my phone number and had to start attacking from this point only to get an account.

Control

To register an account the application was sending SMS to registered phone number then forcing 3 controls on verification function:

1- Rate limit control that only allows 60 requests per minute.
2- Once exceeding the rate limit IP and phone will be blocked for some time.
3- A number of 6 digits will make brute force more harder.

So we will try to bypass rate limit enforced to increase allowed trials number and get the OTP value sent to the user’s phone.

Bypassing

Rate limiting is an API control that’s set by API developers in order to mitigate attacks such as: Brute Force, Resource Exhaustion Attack, DDOS (Distributed Denial of Service), .. .
It’s often used to protect authentication function such as: Login, Reset Password, Account Verification, 2 Factor Authentication or other function that send message or emails.

Rate Limit Applied for only 60 requests per minute.

To bypass tried different techniques:

1- Changing some of request headers’ values to be different values like: user-agent, getting new cookie, changing source IP address but with no luck.

2- Secondly, tried adding new header with the following value:

X-Forwarded-For: 127.0.0.1

and once done, the response showed increase in the number of allowed trials from 60 to 6000 per minute! this mis-configuration maybe for testing purposes from local host!

Response After Bypassing

Result

That allowed brute force OTP value and spoofing identity of any user by using his phone number if he’s still not registered.

Penetration Tester | Bug Bounty Hunter https://www.linkedin.com/in/t4144t/