Trick to bypass rate limit of password reset functionality
Note: Since its a private program, I will call it example.com
If you send many requests, the reset password will block you with response code => 429 and response message “Too many requests”.
Attempts in testing
1- Change the user-agent header’s value randomly in every request. [Failed]
2- Adding some headers like below: [Failed]
X-Forwarded-For : 127.0.0.1
X-Forwarded-Host : 127.0.0.1
X-Client-IP : 127.0.0.1
X-Remote-IP : 127.0.0.1
X-Remote-Addr : 127.0.0.1
X-Host : 127.0.0.1
3- Trying to add a null byte in the email’s request body (%00, %09, %0d, %0a) [Faield]
4- A lot of fuzzing such as add space, numbers, role:admin, and others but [Faield]
5- Adding a parameter in the path [sucess] bypassed !!
I can send more than 100 requests without taking a block.
Reproduce the issue step by step
- Go to this endpint https://dashboard.example.io/password-reset
- Reset the password and capture the request with burp proxy
- Add a parameter in the endpoint of the request and send to intruder or send many requests manually => https://dashboard.example.io/password-reset?anyCharacter=1
You will find out that you bypass the “Too many requests” prevention.
Thank you for reading
wait for the best.