Trick to bypass rate limit of password reset functionality

Note: Since its a private program, I will call it example.com

Server behavior
If you send many requests, the reset password will block you with response code => 429 and response message “Too many requests”.

ttempts in testing

1- Change the user-agent header’s value randomly in every request. [Failed]
2- Adding some headers like below: [Failed]
X-Forwarded-For : 127.0.0.1
X-Forwarded-Host : 127.0.0.1
X-Client-IP : 127.0.0.1
X-Remote-IP : 127.0.0.1
X-Remote-Addr : 127.0.0.1
X-Host : 127.0.0.1
3- Trying to add a null byte in the email’s request body (%00, %09, %0d, %0a) [Faield]
4- A lot of fuzzing such as add space, numbers, role:admin, and others but [Faield]
5- Adding a parameter in the path [sucess] bypassed !!

https://dashboard.example.io/password-reset [block]
https://dashboard.example.io/password-reset?anyCharacter=1 [bypass]

I can send more than 100 requests without taking a block.

eproduce the issue step by step

  1. Go to this endpint https://dashboard.example.io/password-reset
  2. Reset the password and capture the request with burp proxy
  3. Add a parameter in the endpoint of the request and send to intruder or send many requests manually => https://dashboard.example.io/password-reset?anyCharacter=1

You will find out that you bypass the “Too many requests” prevention.

Thank you for reading
wait for the best.

Cyber Security Engineer | Penetration tester