When an application is not implementing a mechanism to limit the number of emails and messages triggered in an X amount of time, this issue is usually considered as Rate Limiting. However, rate limiting is not just that, there may be multiple scenarios like X no. of comments/message/invites or Create/Delete operations in Y amount of time, depending upon business logic.
Captcha, on the other hand, is considered as a protective mechanism to slow down an attacker & create a blocker in automating the process of triggering requests to perform Rate Limiting attacks.
Hey fellow Hackers, In this blog, I will be writing about a very recent and weird scenario where I accidentally bypassed captcha to perform Rate Limiting.
In a nutshell, the story is:
- Went to Forget Password and filled details along with Captcha
- Captured Request with Burp Proxy.
- Neither turned off Interception nor Forwarded the Request.
- Sent Request to Intruder and played 300 times with null payloads.
- Captcha mechanism was validating the initial request which was on hold with Proxy before expiring the captcha.
The application I was working on is from a Private Program and to maintain No Disclosure Policy, let’s name the target as target.com
Pretty much all the vulnerabilities were in scope so I started looking for XSS, IDORs, etc and had good luck with them on day-1. The next day when I started again, I forgot the password I set :p so I went to “Forget Password” functionality to reset my password. Observed that the application is implementing a captcha to restrict automation. Cool, let’s have fun around it.
I started with capturing the request by providing a valid Captcha Answer and tried to repeat the request but it failed. Further, I went ahead and tried removing the captcha parameter and still no luck.
The next thing I did was actually unintentional. I captured a fresh request and send that to Repeater and repeated it. Success! How? It was not working before for me :/ I noticed that I forgot to turn off the interceptor and forward the request. I went ahead and turned off the interceptor. To my surprise, an email notification popped up, Received TWO Password Reset emails! Something was fishy.
I captured another fresh request and kept it on hold with Proxy and send it to Intruder. I played the request with Null payloads for about 200 times.
I got 200 emails. :D Captcha and Rate Limit Bypassed ;)
# Why This Happened?
To my understanding of the application, the application was implementing some “Not so known/local Captcha” which was actually validating Original Request (which was on hold with Proxy) to be correct/incorrect before expiring the “Captcha”. This leads an attacker to keep the original Request on hold and bypass the Rate Limit on “Forget Password” to trigger N no. mails in a few minutes
- Add a new bypass to your Rate Limiting Bypass List
- Always try to fiddle across locally implemented protection mechanisms. They are more likely to be vulnerable.