🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • RATE LIMIT FLAWS
  • Rate-limit Checks
  • Bypass-Techniques
  1. Rate Limit

Rate Limit Flaws

RATE LIMIT FLAWS

This flaw leveraged by malicious actors to perform DDoS, brute force, and bot attacks on APIs. Although it's more than that.

NOTE: Some organisation keep rate-limit bug as OOS, So check their policy before testing.

Rate-limit Checks

1 - Rate limit on Forget password 2 - Rate limit on Sign-up Page 3 - Rate limit on Login Page 4 - Rate limit on Invite user normal 5 - Rate limit on Invite user using MACROS 6 - Rate limit on 2FA 7 - Rate-limit on Comment and sent messages 8 - Use your own brain somewhere

Bypass-Techniques

1 - Append NULL characters at the end of the request :

%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space

POST /signup/new/1337 HTTP/1.1
HOST: api.target.com
...
email=hacker%40gmail.com&password=12345678%00

2 - Append NULL characters at the end of the Path :

%00, %0d%0a, %0d, %0a, %09, %0C, %20, ( )space POST /profile/post/like%00 HTTP/2

3) Using Custom HTTP headers

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1
X-Originating-IP: 127.0.0.2
X-Forwarded-For: 127.0.0.2
X-Remote-IP: 127.0.0.2
X-Remote-Addr: 127.0.0.2
X-Client-IP: 127.0.0.2
X-Host: 127.0.0.2
X-Forwared-Host: 127.0.0.2
X-Originating-IP: 127.0.1
X-Forwarded-For: 127.0.1
X-Remote-IP: 127.0.1
X-Remote-Addr: 127.0.1
X-Client-IP: 127.0.1
X-Host: 127.0.1
X-Forwared-Host: 127.0.1

4 - Changing the value of User-Agent:

UserAgent: 'CHANGED_USERAGENT'

5 - Adding Custom parameter in GET request

GET /accout/passwordreset/?test=test

6 - Change request body, (JSON -> XML) or vice versa

Use Burp Extension --> Content Type Converter

7 - Changing API version ,

/api/v2/user/reset_pw --> /api/v1/user/reset_pw or /api/v3/user/reset_pw

8 - Bypass through Exploiting Logic flaw on Login page,

  • Take Attacker and Victim account

  • Identify how many enough login attempts in application

  • For-eg. if application gives only 3 attempts, then

  • By using burp macros, send the attackers login request 1 time and victim login request 2 time, or alternatively

  • If NOT blocked, Repeat the process until we get victim's password

9 - Try to find Origin IP of the Application

  • Shodan

  • Censys

  • Visit the application with it's IP address

  • Do your own research

PreviousPassword_Reset_FlawsNextRate-Limit Bypass

Last updated 9 months ago