Existing Rate limit Protection Bypass Via Multiple API Calls(Macro Request Handling)
Hi Guys, In this article, I will share how did I bypassed existing rate limit protection via triggering multiple API calls on my target (redacted.com)
So while i was testing on the target as usual there were several options like change profile name, profile pic, add another email, password etc.so the add another email option caught me up and i was thinking like shall i test for rate limit issues! like when we add new email definitely the newly added mail will receive confirmation code/tokens for verification. In this case it was right and when i added my 2nd email i have received a confirmation token. So i quickly captured the request and send to intruder and tried to perform email flooding and unfortunately there were already rate limit protection implemented to protect against brute-force attack
When i send the “email/add” request the first response was like this, the mail id has been added and i have received verification token on my mail
When i send the request again(2nd time) i didn’t received any response and verification token on my mail , the response was like this
That means, the server is validating the user begin already added or not and it this case i’m not able to perform email flooding via brute-force.There was an option to resend-verification email and i captured the request and tried to perform intruder attack and there were also rate-limit protection implemented and i have received only 1 email when i tried null payload attack with 100 requests, the request was also like this
So i started checking another feature and again one thing caught me up, that was we can remove the added email without verification
When i send the “email/delete” request the first response was like this, the mail id that i have added has been removed
When i send the delete request again(2nd time) i didn’t received any response and it was blank like this
So when i send the “email/add” it was added and when i send the “email/delete” it was removed, and each time the emails adds, i have received verification token on the mail.So in this case i’m able to bypass the protection by triggering multiple API calls, So i quickly created automated script with python for this and the script was like this
On the script i have added for loop with 100 request and when i executed that script i have received 100 junk verification email
This domain was part of Bugcrowd private program, so i reported this via Bugcrowd
2022 Oct 9: Reported
2022 Oct 26: The triagers responded that the script was not working that i have submitted, so i again explained well and modified the script with input type instead and resolved the blocker
2022 Nov 10: Report Accepted 🥳
THANKS🙏