BOOK THIS SPACE FOR AD
ARTICLE ADHey folks!
This is Alp, long time no see. And I miss this platform. So, decided to write a short write-up. Today, I will write about a bug I came across while on a pentest.
Q: What is the rate limit?
A: The rate limit is a restriction imposed on the number of requests or actions that can be made within a specific time period. It is a mechanism used to control and manage the usage of a service or resource, preventing abuse, overuse, or potential negative impacts on the system’s performance.
If you come across a rate limit mechanism, do not give up! In my case, there was a rate limit mechanism in the sign-in/sign-up section. And could only sign in/sign up with a phone number.
To sign up, I sent an SMS code to my phone number using example.com/api/send_otp endpoint. After being asked to enter the 6-digit code, I wanted to check if there was a rate limit mechanism for entering the wrong code more than once in the example.com/api/enter_otp endpoint.
After trying 10 times, I received a rate limit error.
Rate limited in example.com/api/enter_otp endpointI confirmed that there was a rate limit and waited for 12 hours. After 12 hours, I tried to use example.com/api/enter_otpendpoint again.
Surprisingly, I got the same response again!
Response from the example.com/api/enter_otp endpoint 12 hours after initial rate limitI tried to execute the same request again with a different IP address and got the same response. I noticed that they applied the rate limit to the phone number, not an IP address. So, I quickly submitted a report.
In short, never skip the endpoints that are protected by rate limiting. You may find something similar to bug I submitted or your own unique security issue!
The rate limit in example.com/api/enter_otp endpoint is phone number based. So, if an attacker exploits it on all users’ phone numbers they’re not able to sign in/sign up to the app.
The main issue was that the rate limit didn’t reset after 12 hours.
Thanks for reading! If you enjoyed it, you can give me a clap and a follow on Twitter!
Feel free to contact me on social media! I’m always free to answer your questions and messages!
Twitter: https://twitter.com/alp0x01
Discord: https://discord.com/users/361472055109091329 — @alp1337