Hi Everyone,
It’s Yash Gurav here. Today, we are discussing the most common bugs you might find during VAPT/WAPT assessments and, notably, in Bug Bounty programs.
No Rate Limit
I know what you all might be thinking, but it’s true: in my WAPT work, I’ve found this bug in about 80% of the web applications I’ve tested. Most people assume the no rate limit bug is only found in one place, such as the login panel, but that’s NOT TRUE. I used to think the same way. Stay tuned, and I’ll share where else you can find no rate limit issues.
Where Could You Find the No Rate Limit Bug?
Where are the places you can find the no rate limit bug?
Here we go
Account Creation / Sign Up
What is the registration link?
When you visit a web application, you’ll notice that most have a sign-up feature requiring registration with an email ID. The application then sends a link/code to verify the email address.
You can exploit the sign-up feature to find no rate limiting by requesting the registration link/code as many times as you want.
Reset/Forgot Password
You can also exploit the forgot password feature to find no rate limit issues.
First, sign up with your target. Then log out from your account, navigate to the forgot password page, enter your email address, and click submit. The application will send you a link/code to set a new password.
No Rate Limit on OTP
You can also find no rate limiting on OTP requests.
Like before, make an OTP request, intercept the HTTP request using proxy tools such as Burp Suite, and send it to the Intruder tab. Set a null payload, generate only 10 payloads, and start the attack. If you receive 10 OTPs at your email address or mobile number, it’s vulnerable.
Feedback/Support Form, Comments Fields
You can use the support/feedback form to check for no rate limit issues. Also, keep in mind that if the application has a comment section, you should test for no rate limit there as well.
Login Panel
No rate limit bug can be found in the login panel. You can attempt 10 wrong logins and the last 1 correct one using tools like Burp Suite or OWASP ZAP.
No Rate Limit on OTP Code Generation for 2FA
A no-rate limit bug in the OTP code generation for 2FA means users can request unlimited OTPs without restriction. You can automate the process using Burp Suite Intruder. I’ve also listed methods to bypass security measures.
Bypassing 2FA with No Rate Limit
A no-rate limit bug can bypass the 2FA code if your target uses OTP to validate users for 2FA. You can exploit the no rate limit to bypass the OTP.
You can find all possible ways to bypass 2FA HERE
Ways to bypass no rate limit
Use different parameters for the same request
For example, if you find a bug on the signup page, try these variations:
- sign-up
- Sign-Up
- SignUp
- signUP
Manipulating IP origin using headers
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
# Double X-Forwarded-For header example
X-Forwarded-For:
X-Forwarded-For: 127.0.0.1Using Null Bytes
Using null bytes such as %00, %0d%0a, %0d, %0a, %09, %0C, %20 in code or parameters can be useful. For example, OTPCode=212121%00
I Have also attached the POC you can refer to that
Login into your account after 2 wrong attempts
You may be familiar with a PortSwigger lab that demonstrates this issue in the Authentication category under [Broken brute-force protection, IP block].
Captcha Trick
Remove the captcha parameter or add a string with the same length.
Run the Arjun tool to find hidden parameters
Running the Arjun tool might reveal unique parameters that could help bypass the no-rate limit
OR
You may find other bugs such as XSS or SQL Injection. [and many more].
