Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday
Subscribed to: https://medium.com/@kerstan
Hello everyone, I’m Kerstan.
Today is Bug bounty Tuesday, I will share with you how to use rate-limit bypass account takeover.
So, let’s dive right in.
![](https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*8x_uEahRm-5XagdKXYN74w.png)
In a private bug bounty program, when a password reset was initiated, users were asked to enter a six-digit numeric code sent to their email for verification.
To deter brute-force attacks, the application set up rate-limit protection, limiting the number of requests users could make within a specific time frame. If this limit was exceeded, the system would return a 429 Too Many Requests error message.
However, the rate-limit protection was bypassed by adding two X-Forwarded-For: IP headers.
POST /reset HTTP/2 Host:example.com X-Forwarded-For:1.1.1.1 X-Forwarded-For:2.2.2.2
By changing the IP address in the second X-Forwarded-For header, it became possible to bypass the rate limit and attempt multiple codes until the correct one was located.
Exploiting this vulnerability made it possible to take over any account within the application without authorization.
Resources:
If this writing has been helpful to you, please consider giving it a clap and following. Thanks bro.
Alternatively, you can just buy me a coffee here, any sort of support is much appreciated. Enjoy your reading.
If you want to learn more knowledge about Bug Bounty Tuesday, please be sure to take a look at my latest articles.
Account Takeover Through Rate-Limit Bypass — Bug Bounty Tuesday
5 Tips GoogleDocks you should know — Bug Bounty Tuesday
Jenkins Arbitrary File Reading Vulnerability (CVE-2024–23897) — Bug Bounty Tuesday
How I Discovering the Origin IP In Bug Bounty — Bug Bounty Tuesday
How I Find Open Redirect Bug — Bug Bounty Tuesday
My SSRF Tricks — Bug Bounty Tuesday
Get IDOR In No Permission To Access Page — Bug Bounty Tuesday
Account Takeover on International Exchange — Bug Bounty Tuesday
URL Redirection To DOM XSS on Hackerone Programs — Bug Bounty Tuesday
3 Steps Discovered XXE You Should Know
URL Redirection To DOM XSS on Hackerone Programs
How I Discovered SSRF on Hackerone Program
How I Automatically Discovered SSRF on Hackerone Program
PS.