Bypassing Rate Limit ( using Timestamp )
This write up is divided into the following sections :
- Introduction
- Vulnerability description and attack methodology.
- Steps to reproduce and bypass rate limit.
INTRODUCTION
What is Rate Limiting ?
Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe — for instance, trying to log in to an account. Rate limiting can help stop certain kinds of malicious bot activity. It can also reduce strain on web servers.
In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests
So as usual I tried to look for rate-limiting issues on the application’s forget password page. And be not surprised at all there was a rate limit implemented.
For bypassing the rate limit I looked into the request that it makes while processing the forgot password process.
As you can see there’s a “timestamp” parameter being passed with some other user data.
I thought why are they specifically passing the timestamp parameter. There has to be some reason. So why not play with this parameter and try to change it accordingly. And see if something happens
After doing some research and making an attack methodology I was able to bypass the rate limit
Attack Methodology
Now as the timestamp parameter is being passed on each request, so there is a strong possibility that the server is checking the timestamp variable to see if the timestamp is the same as the previous request or has changed.
So the server will check the timestamp and if it finds that the timestamp is the same as the one used in the previous request, it will get to know that the request has been repeated and will give the 429: Too Many Request Status.
But what if we increment the timestamp parameter on each request. Then if the server checks the timestamp and matches it with the previous request. As the timestamp parameter is incremented, it will not be the same used in the previous request and the server will pass the request as valid.
So like the first request has timestamp: 1599550120334
Therefore the next request will have timestamp: 1599550120335
As you can see we incremented the timestamp 334 to 335.
And after doing this I was able to bypass the rate limit successfully.
Useful Knowledge :
Here “1599550120316” is a timestamp format and the format name is Epoch. This format is usually used in web applications and is a common format.
So in order to change the time stamp according to our needs.
Visit this online converter and change it according to your needs https://www.epochconverter.com/
STEPS TO REPRODUCE
Step 1 — Go to the forgot password page and enter the victim’s email address.
Step 2 — Intercept this particular request in Burpsuite.
Step 3 — Now send this request to Intruder and select the timestamp parameter numbers that you want to increment.
Like if you want to increment 334 in 1599550120334.
Select those particular numbers as a payload such that the payload gets incremented on the new request.
Note: For checking purposes, you can also perform this task manually ( like incrementing the numbers one by one ) but I will recommend you to automate the task using turbo intruder or intruder.
Step 4 — If everything worked right, you will get 200 ok status code & 100 + emails in your victim’s inbox
Support me here ⬇
https://www.paypal.com/paypalme/karanxarora
Twitter ⬇
https://twitter.com/Itskaranxa
IF YOU FELT THIS WAS WORTH YOUR TIME THEN
SUBSCRIBE FOR MORE. STAY CURIOUS !!
