Brute-force Protection Bypass
How I was able to bypass brute-force protection mechanism
Last updated
Was this helpful?
How I was able to bypass brute-force protection mechanism
Last updated
Was this helpful?
Most modern Web Applications have mechanisms to protect against brute-forcing attacks.
One such mechanism is rate limiting. When many requests are made form a single user, the server responds with: 429 Too Many Requests Such mechanisms protect against attacks such as email bombing, form submission bombing and most importantly, password or code brute-forcing.
Brute-forcing verification code is a very traditional attack but modern web applications have made it difficult to exploit by deploying rate limit or captcha.
I came across one such target during my penetration test. When I tried to brute-force the verification code using intruder, after 30 requests I started getting 429 response code.
I tested for various test cases such as X-Forwarded host techniques, using random user agent etc. Read more here:
Finally I used a burp extension called burp fake IP Using this I was able to send every request with a different IP.
The server responded with 200 OK on each request.
I filtered the responses based on content length.
I checked the response with the largest content length and the response message was "status:success"
Right Click > Show response in browser and boom I entered the victim account.
Deep diving is the key
PS: You may be thinking that I could have changed "status:wrong code" to "status:success". I did try that but it does not always work.