Bypassing Rate Limit Protection to Account Takeover

After finding this out, I got back and tried another trick which I learned from solving PortSwigger Labs.

Burp Intruder has different “Attack Types”

The default attack type is “Sniper”, 2nd is “Battering Ram”, 3rd is “Pitchfork” and 4th is “Cluster Bomb”.

Battering Ram will use the payloads which you give them on Multiple added parameters.

Pitchfork will use different payloads for different selected parameters.

Cluster Bomb will allow you to perform complex, multi-position attacks. It is particularly useful when you need to send multiple payloads at different positions in a single request and want to test the combination of various inputs at those positions.

In my case, I used Pitchfork Attack.

I selected 2 different parameters. One was IP and the other was Password.You can see here that it shows 2 Payload Sets. 1 is for the IP and 2 is for the Password.I added simple numbers from 2 to 100. So that the total payload count would be 99. Which is enough just to show that such an attack is possible.For the 2nd Payload (Passwords), I used 98 random passwords and in the end inserted the correct one.Here I was able to successfully guess the correct password without being locked out or blocked on 99th attempt.

This is how I was able to find a Rate Limit Bypass on the Login page which can also lead to Account Takeover as well.

I hope that my blog was helpful. Good luck hunting :)