Brute-force Protection Bypass

How I was able to bypass brute-force protection mechanism

Most modern Web Applications have mechanisms to protect against brute-forcing attacks.

One such mechanism is rate limiting. When many requests are made form a single user, the server responds with: 429 Too Many Requests Such mechanisms protect against attacks such as email bombing, form submission bombing and most importantly, password or code brute-forcing.

Brute-forcing verification code is a very traditional attack but modern web applications have made it difficult to exploit by deploying rate limit or captcha.

I came across one such target during my penetration test. When I tried to brute-force the verification code using intruder, after 30 requests I started getting 429 response code.

I tested for various test cases such as X-Forwarded host techniques, using random user agent etc. Read more here: https://www.websecgeeks.com/2015/06/bypass-brute-force-protection-login.html

Finally I used a burp extension called burp fake IP https://github.com/TheKingOfDuck/burpFakeIP Using this I was able to send every request with a different IP.

The server responded with 200 OK on each request.

I filtered the responses based on content length.

I checked the response with the largest content length and the response message was "status:success"

Right Click > Show response in browser and boom 💥 I entered the victim account.

Deep diving is the key 🔑

PS: You may be thinking that I could have changed "status:wrong code" to "status:success". I did try that but it does not always work.