Rate Limit Bypass By Parameter Tampering | Easy Win
Hello everyone, I hope you are doing well!
In this blog, I will walk you around a rate limit bypass technique. This technique is Easy to Win!
Let’s get started & confuse WAF to bypass the rate limit.
How does rate limit work?
The rate limiting restricts how frequently someone may repeat an action within a given interval. If the action count exceeds, it will trigger the “429 Too Many Requests” status code which indicates that the user has sent too many requests in a given amount of time.
Where to find it?
You can find & test whether the rate limit is implemented at different functions as follows:
- OTP Verification: Bypass 2FA
- Forget Password: Email Bombing
- Signup: Create bulk users
- Login: Username / Password Bruteforce
- Create Function in DB: Storage Outage
- Reset Password: Old Password Bruteforce
How to detect it?
- Capture the request in the BurpSuite & Send it to the Intruder.
- Add a position to the “q” variable as follows & set payload as numbers from 1 to 100 with 1 step -> q=0.§5§
- Start the Attack.
- If you are able to get all “200 OK” or other success status codes, then you can report this bug as “No Rate Limit at XYZ Leads to ABC”
- Otherwise, If you see “429 Too Many Requests” after some requests, then the function is protected against Rate Limit attacks. We can proceed to try bypass techniques.
Methodology To Bypass Rate Limit
Consider a scenario where you have detected rate limit protection on the “Forget Password” function. If bypassed, it can lead to email bombing.
- Capture the request in Burp. Send the request to Intruder & set the attack type to Cluster Bomb.
- Add two positions as follows. First to the endpoint & second to the “q” variable.
POST /users/§reset-password§ HTTP/1.1
Host: api.redacted.eu
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.§5§
Accept-Encoding: gzip, deflate
Referer: https://app.redacted.eu/lost-password
Content-Type: application/json; charset=utf-8
Content-Length: 33
Origin: https://app.redacted.eu
Connection: close
Cookie: gcl=1.1.121338148.1680190017;
Sec-Fetch-Site: same-site
{"email":"wisax34347@djpich.com"}3. The rate limit can be bypassed by changing the endpoint. For example, the original endpoint is ‘reset-password’ & it can be changed to various combinations such as ‘Reset-Password’ & ‘RESET-PASSWORD’, etc
4. To generate different combinations of endpoints, you can use Tinker(https://github.com/heydc7/Tinker) for parameter tampering.
5. Payload 1
reset-password
Reset-Password
reset-Password
Reset-password
RESET-PASSWORD
Reset-passworD
reSet-passwOrd
resEt-passwoRd
rEset-pasSword
reSet-paSSword
rEsEt-pAssword
rEsEt-pAsswOrd6. Payload 2
Numbers from 1 to 10 with 1 step7. Start the attack. The rate limit will be bypassed & you can see 100s of emails in your mailbox.
8. To make the attack look more legitimate to WAF, you can additionally set the Throttle(Intruder->Options) to 1000 milliseconds(1 Sec).
Risk
- This can cause an outage in your Email Service. As a result, legitimate users could not be able to reset passwords due to Email Service outages. It can cause monetary loss to the company.
- Due to huge loads of emails, services like Google, Yahoo, Microsoft, etc. will flag your email as spam. This will lead to landing all company emails in the spam or junk box.
- E-mail bombs hack may create Denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space
Outro:
This technique is Easy Win & I got 100 EUROs for this.
Finally, the inside-out is “Try to confuse WAF & it will lead to bypass rate limit”
I hope you enjoyed my #BugBounty blog.
Feel free to connect with me on Twitter: @heydc7
Thank you!
