Rate Limit Bypassing Allowing Identity Spoofing
Introduction
While hunting on a program on H1 I needed to register an account to start exploring authenticated requests of the application, tried to register with my phone number but found that it only accepts phone numbers from specific country, so I wasn’t able to use my phone number and had to start attacking from this point only to get an account.
Control
To register an account the application was sending SMS to registered phone number then forcing 3 controls on verification function:
1- Rate limit control that only allows 60 requests per minute.
2- Once exceeding the rate limit IP and phone will be blocked for some time.
3- A number of 6 digits will make brute force more harder.
So we will try to bypass rate limit enforced to increase allowed trials number and get the OTP value sent to the user’s phone.
Bypassing
Rate limiting is an API control that’s set by API developers in order to mitigate attacks such as: Brute Force, Resource Exhaustion Attack, DDOS (Distributed Denial of Service), .. .
It’s often used to protect authentication function such as: Login, Reset Password, Account Verification, 2 Factor Authentication or other function that send message or emails.
To bypass tried different techniques:
1- Changing some of request headers’ values to be different values like: user-agent, getting new cookie, changing source IP address but with no luck.
2- Secondly, tried adding new header with the following value:
X-Forwarded-For: 127.0.0.1
and once done, the response showed increase in the number of allowed trials from 60 to 6000 per minute! this mis-configuration maybe for testing purposes from local host!
Result
That allowed brute force OTP value and spoofing identity of any user by using his phone number if he’s still not registered.