Update Rate Limit Bypass.md

This commit is contained in:
Mehdi 2024-10-03 11:30:21 +03:30 committed by GitHub
parent 2d16f74307
commit 62d2ee05ff
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -44,13 +44,66 @@ If the limit in the path `/resetpwd`, try BFing that path, and once the rate lim
Maybe if you login into your account before each attempt (or each set of X tries), the rate limit is restarted. If you are attacking a login functionality, you can do this in burp using a Pitchfork attack in setting your credentials every X tries (and marking follow redirects). Maybe if you login into your account before each attempt (or each set of X tries), the rate limit is restarted. If you are attacking a login functionality, you can do this in burp using a Pitchfork attack in setting your credentials every X tries (and marking follow redirects).
## Real World Scenario
Here we can bypass the rate limit because of a wrong logic, now how?
First, let's see what is the logic behind the code:
![code-snapshot](https://github.com/user-attachments/assets/d73c84a0-2bd2-431c-a0ad-c1cd0b92010c)
In a simple way, if the user enters the correct username and password, he will be logged in and he has the right to enter wrong information up to `5` times, and if it is more than that, the IP will be banned for one minute. (For simplicity, I put one minute, otherwise it can be more, for example 10 minutes)
### What logic has been implemented to prevent brute force?
In line 51, it says that if the user enters wrong information, come and check. If the user's IP is not in our Object, first add the IP to the Object and then set the value to `0`.
```html
loginAttempts[ip] = 0;
```
And for each wrong entry of information, add a number to the user's IP value
```html
loginAttempts[ip]++;
```
In line 57, she said that if the user's IP value was greater than or equal to `5` (that is, the wrong information was entered for login 5 times), add the user's IP to the list of banned IPs
```html
bannedIPs[ip] = Date.now() + BAN_DURATION;
```
Now, in the middle, we also have a middleware that comes with every user request and checks whether the user's IP is Ban or not.
### What is middleware?
In simple words, it is a function that has access to Requests and Responses and can make changes to them.
For example, look at line 26, it came from the user's request and received his IP.
### What is the exploit now?
The problem is exactly in line 49, because if the user enters the correct information and logs in, the user's `loginAttempts[ip]` will be equal to `0`.
For example, as an attacker, I entered wrong information `4` times.
```html
loginAttempts[ip] = 4;
```
And I come for the `5th` time and enter the correct information.
Now my login attempts are reset! (line 49):
```html
loginAttempts[ip] = 0;
```
And again, I can enter wrong information `4` times and in the same way I can do brute force and bypass the rate limit.
I just have to test one correct password for every `4` **wrong passwords** in my password list.
For example, if we want to brute force the user `admin`:
```html
passwordlist.txt
Username : Password
admin WrongPassword1
admin WrongPassword2
admin WrongPassword3
admin WrongPassword4
mehdi0x90 p@ssw0rd
admin WrongPassword5
admin WrongPassword6
admin WrongPassword7
admin WrongPassword8
mehdi0x90 p@ssw0rd
```