.png)
4 weeks ago
26 BOOK THIS SPACE FOR AD
ARTICLE AD
Rate Limit Bypass on Login by Changing Case of Characters in Email
During a security assessment, I found a rate limit bypass vulnerability on the login system. Normally, the system should lock an account after 16 incorrect password attempts. However, by slightly changing the case of a character in the email address, the rate limit can be bypassed, allowing continuous password attempts.
Set up repeated login attempts:Use an incorrect password and attempt to log in at https://client.example.com 16 times using an email like g4l2562z6v@tidissajiiu.com (Tip: Send the request to Burp Suite’s Repeater tool for easy replaying of attempts.)2. Observe account lockout message:
After 16 failed login attempts, the account is locked. Even the correct password won’t work anymore.Response from Burp Repeater:{ "message": "Request limit exceeded. Please try again later.", "type": "too-many-requests" }3. Change email character case:
Change the case of a character in the email. For example, switch from g4l2562z6v@tidissajiiu.com to g4l2562z6v@tidiSsajiiu.com (s -> S).4. Continue login attempts:
Resume login attempts with any password. You’ll find that the rate limit doesn’t apply, even after 16 attempts.5. Confirm bypass:
To verify, perform Step 3 and then log in with the correct password via the browser.This vulnerability allows an attacker to bypass the lockout mechanism meant to protect accounts after 16 failed attempts. By writing a simple script that changes the case of a character after every 16 attempts, an attacker could try unlimited passwords without ever being blocked.
To prevent this issue, treat email input as case-insensitive before checking the rate limit. This way, variations in letter case won’t allow the rate limit to be bypassed.
My next write-up will be about a special email verification bypass achieved using a unique method. Stay tuned! 🫂
.
Bengali (Bangladesh) · 
English (United States) ·