Account Takeover with rate limit bypass

8 months ago 45

Account Takeover with rate limit bypass

Hi guys, I’m Shamim Ahamed . It’s my first bug bounty write-up about my valid bug which could have allowed a malicious user to take over any account on that target site.

So let’s start

As I can’t disclose the name of the company, let’s call it “” .Last night i was testing on my target website ,and suddenly i notify something on forgotpassword to reset password option , so tried reset password and something in burp suite,the request like this

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.ConfirmForgotPassword
X-Amz-User-Agent: aws-amplify/5.0.4 js
Content-Length: 128
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Te: trailers


I tried to test on this and find a option ,there is a ConfirmationCode”:XXXX” which used to be change the password ,valid ConfirmationCode.

use burp suite intruder to brute force on ConfirmationCode.After sending request so many for brute force the code this it will blocking our request.

{"__type":"LimitExceededException","message":"Attempt limit exceeded, please try after some time."}

Then i tried to bypass this by using X-Forwared-Host: on request .It’s successfully bypass limit.

use burp suite intruder to change multiple ip on X-Forwared-Host:127.0.0.$1$, and continue brute force on ConfirmationCode,after so many request the valid code change the password and successfully takeover the account .

That’s all…

Thank you for reading!

Read Entire Article