Weird Story of Captcha to Rate Limit Bypass

Harsh Bothra
May 9 · 3 min read
Image for post
Image for postImage for post

When an application is not implementing a mechanism to limit the number of emails and messages triggered in an X amount of time, this issue is usually considered as Rate Limiting. However, rate limiting is not just that, there may be multiple scenarios like X no. of comments/message/invites or Create/Delete operations in Y amount of time, depending upon business logic.

Captcha, on the other hand, is considered as a protective mechanism to slow down an attacker & create a blocker in automating the process of triggering requests to perform Rate Limiting attacks.

Hey fellow Hackers, In this blog, I will be writing about a very recent and weird scenario where I accidentally bypassed captcha to perform Rate Limiting.


In a nutshell, the story is:

  1. Went to Forget Password and filled details along with Captcha

The application I was working on is from a Private Program and to maintain No Disclosure Policy, let’s name the target as target.com

Pretty much all the vulnerabilities were in scope so I started looking for XSS, IDORs, etc and had good luck with them on day-1. The next day when I started again, I forgot the password I set :p so I went to “Forget Password” functionality to reset my password. Observed that the application is implementing a captcha to restrict automation. Cool, let’s have fun around it.

I started with capturing the request by providing a valid Captcha Answer and tried to repeat the request but it failed. Further, I went ahead and tried removing the captcha parameter and still no luck.

The next thing I did was actually unintentional. I captured a fresh request and send that to Repeater and repeated it. Success! How? It was not working before for me :/ I noticed that I forgot to turn off the interceptor and forward the request. I went ahead and turned off the interceptor. To my surprise, an email notification popped up, Received TWO Password Reset emails! Something was fishy.

I captured another fresh request and kept it on hold with Proxy and send it to Intruder. I played the request with Null payloads for about 200 times.

I got 200 emails. :D Captcha and Rate Limit Bypassed ;)

# Why This Happened?

To my understanding of the application, the application was implementing some “Not so known/local Captcha” which was actually validating Original Request (which was on hold with Proxy) to be correct/incorrect before expiring the “Captcha”. This leads an attacker to keep the original Request on hold and bypass the Rate Limit on “Forget Password” to trigger N no. mails in a few minutes


Takeaways

  • Add a new bypass to your Rate Limiting Bypass List

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Harsh Bothra

Written by

Security Engineer | Bugcrowd Top 150 | Synack Red Teamer | Bug Hunter | Author | Occasional Speaker | Learner | Poet | Twitter — @harshbothra_

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Harsh Bothra

Written by

Security Engineer | Bugcrowd Top 150 | Synack Red Teamer | Bug Hunter | Author | Occasional Speaker | Learner | Poet | Twitter — @harshbothra_

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store