How I Bypassed Rate limiting To Account Takeover
Hi, Ajak Amico’s welcome back to another blog today. In this blog, I will show how I found rate limit bypass using IP rotation which led to account takeover, to exploit this I used the TOR browser. Before starting, if you haven’t subscribed to our channel, do subscribe, guys. Contents related to cyber security, Bug Bounty, and Digital Forensics Investigation
Follow our Youtube Channel: @ajakcybersecurity (360 Videos)
Follow on Instagram: AjakCybersecurity
Buy me Coffee: https://buymeacoffee.com/ajak
Recon:
After utilizing my favourite tool, https://subdomainfinder.c99.nl/, for subdomain enumeration and accessing all URLs through bulk URLs, I spent two days hunting on this domain. During this time, I identified one instance of information disclosure, two instances of CSRF vulnerabilities, and one instance of ATO (Account Takeover). This site is a community site, where users can register and can discuss forums, and post queries regarding banking and insurance which I already posted in the last blogs.
Exploitation:
During my first day of hunting, while exploring the login page, I observed that a rate limit was in place. For every 5 unsuccessful login attempts, your IP would be banned for 15 minutes. On the second day of investigation, I started thinking about how I could potentially bypass this restriction.
after giving 5 bad attempts my, IP was blocked, like screenshot below.
Now, In order to bypass this, I Connected to a VPN and changed my IP address using urban VPN extension.
So Now I tried to login with my new IP address, and guess what happened, instead of banning me, it displayed your “You have used 1 out of 5 login attempts” so the logic is simple, the API request checks the IP address of the request, and if the request hits 5 bad attempts that specific IP is blocked. but an attacker can bypass this just by rotating the IP address for each request.
Now in order to show impact to the triage team, I just opened the TOR browser, because for each and every request the circuit passes through different nodes, which makes the process easy, when showing demonstration.
I opened my target and simply provided random usernames and passwords. To my surprise, for each request, I received the same message: “You have used 1 out of 5 login attempts.” Since the nodes changed for each request, it became apparent that we could submit as many attempts as we wished. And yes you are right, I didn’t even open my burp to test it, just my TOR browser to exploit this. Finally, I then recorded a proof of concept (POC) and submitted it.
The bug got triaged after one week of reporting, but in real-time, people use, the burp IP rotator extension by configuring with AWS.
But it’s based on the programs you hunt. If they ask you to show impact in real-time, you can use this IP rotation in burp suite. But, in most cases, I use the TOR browser to show the impact, and the company would accept that POC. Cheers will meet in next blog :)
Submitted: 21st/April/2024
Triaged: 29/April/2024
PS: 50 claps for this blog, I will share How I Found IDOR by exploiting the JWT token in my next writeup.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Hope you would have learned some information from this blog if so, kindly press that follow button for further updates. Best wishes from Ajak Cybersecurity.❤️
“கற்றவை பற்றவை🔥”
Learn Everyday, Happy Hacking 😁🙌
https://www.buymeacoffee.com/Ajak
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Follow our Youtube Channel: @ajakcybersecurity
Follow on Instagram: @ajakcybersecurity
