Account Takeover Through Rate-Limit Bypass

Summary

The article discusses a vulnerability in a private bug bounty program that allowed for account takeover through rate-limit bypass.

Abstract

The article, titled "Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday," is written by Kerstan. In a private bug bounty program, the author discovered a vulnerability in the password reset process that allowed for account takeover. The application required users to enter a six-digit numeric code sent to their email for verification, but the rate-limit protection could be bypassed by adding two X-Forwarded-For: IP headers. By changing the IP address in the second X-Forwarded-For header, it became possible to bypass the rate limit and attempt multiple codes until the correct one was located. This vulnerability allowed for the takeover of any account within the application without authorization. The author provides resources and encourages readers to support their work by giving a clap, following, or buying them a coffee.

Opinions

The author believes that this vulnerability is significant and could allow for the takeover of any account within the application without authorization.
The author encourages readers to support their work by giving a clap, following, or buying them a coffee.
The author provides resources for readers to learn more about bug bounty hunting.
The author recommends using an AI service called ZAI.chat, which provides the same performance and functions as ChatGPT Plus(GPT-4) but is more cost-effective.

Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday

Hello everyone, I’m Kerstan.

Today is Bug bounty Tuesday, I will share with you how to use rate-limit bypass account takeover.

So, let’s dive right in.

Image generated with PaintingForYou

In a private bug bounty program, when a password reset was initiated, users were asked to enter a six-digit numeric code sent to their email for verification.

To deter brute-force attacks, the application set up rate-limit protection, limiting the number of requests users could make within a specific time frame. If this limit was exceeded, the system would return a 429 Too Many Requests error message.

However, the rate-limit protection was bypassed by adding two X-Forwarded-For: IP headers.

POST /reset HTTP/2
Host:example.com
X-Forwarded-For:1.1.1.1
X-Forwarded-For:2.2.2.2

By changing the IP address in the second X-Forwarded-For header, it became possible to bypass the rate limit and attempt multiple codes until the correct one was located.

Exploiting this vulnerability made it possible to take over any account within the application without authorization.

Resources:

If this writing has been helpful to you, please consider giving it a clap and following. Thanks bro.

Alternatively, you can just buy me a coffee here, any sort of support is much appreciated. Enjoy your reading.

If you want to learn more knowledge about Bug Bounty Tuesday, please be sure to take a look at my latest articles.

Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday

Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday

5 Tips GoogleDocks you should know — Bug Bounty Tuesday

Jenkins Arbitrary File Reading Vulnerability (CVE-2024–23897) — Bug Bounty Tuesday

How I Discovering the Origin IP In Bug Bounty — Bug Bounty Tuesday

How I Find Open Redirect Bug — Bug Bounty Tuesday

My SSRF Tricks — Bug Bounty Tuesday

Get IDOR In No Permission To Access Page — Bug Bounty Tuesday

Account Takeover on International Exchange — Bug Bounty Tuesday

URL Redirection To DOM XSS on Hackerone Programs — Bug Bounty Tuesday

3 Steps Discovered XXE You Should Know

URL Redirection To DOM XSS on Hackerone Programs

How I Discovered SSRF on Hackerone Program

How I Automatically Discovered SSRF on Hackerone Program

Subscribe Here.