Rate Limiting: What It Is And Why It Matters in Bug Bounty

9 months ago 137
BOOK THIS SPACE FOR AD
ARTICLE AD

Alp

Hey folks!

This is Alp, long time no see. And I miss this platform. So, decided to write a short write-up. Today, I will write about a bug I came across while on a pentest.

Q: What is the rate limit?

A: The rate limit is a restriction imposed on the number of requests or actions that can be made within a specific time period. It is a mechanism used to control and manage the usage of a service or resource, preventing abuse, overuse, or potential negative impacts on the system’s performance.

If you come across a rate limit mechanism, do not give up! In my case, there was a rate limit mechanism in the sign-in/sign-up section. And could only sign in/sign up with a phone number.

To sign up, I sent an SMS code to my phone number using example.com/api/send_otp endpoint. After being asked to enter the 6-digit code, I wanted to check if there was a rate limit mechanism for entering the wrong code more than once in the example.com/api/enter_otp endpoint.

After trying 10 times, I received a rate limit error.

Rate limited in example.com/api/enter_otp endpoint

I confirmed that there was a rate limit and waited for 12 hours. After 12 hours, I tried to use example.com/api/enter_otpendpoint again.

Surprisingly, I got the same response again!

Response from the example.com/api/enter_otp endpoint 12 hours after initial rate limit

I tried to execute the same request again with a different IP address and got the same response. I noticed that they applied the rate limit to the phone number, not an IP address. So, I quickly submitted a report.

In short, never skip the endpoints that are protected by rate limiting. You may find something similar to bug I submitted or your own unique security issue!

The rate limit in example.com/api/enter_otp endpoint is phone number based. So, if an attacker exploits it on all users’ phone numbers they’re not able to sign in/sign up to the app.

The main issue was that the rate limit didn’t reset after 12 hours.

Thanks for reading! If you enjoyed it, you can give me a clap and a follow on Twitter!

Feel free to contact me on social media! I’m always free to answer your questions and messages!

Twitter: https://twitter.com/alp0x01

Discord: https://discord.com/users/361472055109091329 — @alp1337

Read Entire Article