Upvote 1

Bug Report-[HIGH] No Rate Limit Bypass On Reset Password Options Vulnerability

Solved Tusher#7626 4 months ago

Hello team,
I have found a technique that can easily bypass the rate limit system of websites and with this bug we can easily attack into Verification Pin Option, Send unlimited number of huge notifications to victims, bypass OTP codes and takeover accounts etc.
Basically I have added a header X-Forwarded-For: 18.217.69.1 which will bypass the rate limit and reset request limits .
Every time the rate limit is exceeded just change IP to another one and the rate limit will reset itself.

Step to Reproduce:

Testing domain: https://alohaprofile.com/profile/reset-password
1.Go To Login Option and login in your account.

2.Now go to Reset Password option and click on Reset Password option & intercept with burp.

3.Now Go to positions Options and type X-Forwarded-For: 18.217.69.1 in under the host and then mark it $$ sing,
Then go to payload options and select payload numbers,
Now type 0,124,1 then go to attack.

You will see that you are able to submit 500 Reset Password Link.

Now Continue Sent request , If rate limit reached and blocked you then add X-Forwarded-For: 18.217.69.1 header. This will easily reset the rate limit. You can change IP address to 18.217.69.1,2,3,4,5,6 every time a website blocked you.
( With this bypass you can easily send unlimited amount of huge email notification to victim and make victim annoying )

Impact
Brute forcing verified panel
Trouble to the users on the website because huge email bombing can be done by the attackers within seconds.
Brute force OTP codes etc.


I hope you will fix this soon.


Kindly let me know i can get any Reward for this Bug?

If you need anything then please let me know.

I'm waiting For your reply.

Thank You.

Replies (1)

photo
1

Hi there,

Thanks for reporting, we will improve this flaw in upcoming releases. Unfortunately, we offer no rewards at the moment, but appreciate your good deed.

Regards,

Aloha Team

photo
1

Hello there,

Thank Your for your reply.

This is a valid Bug and also High Bug. Please again think this issue.


Impact:
Bypassing the X-Rate Limit-Limit header in an API can allow attackers to make unlimited requests, leading to resource exhaustion or other types of attacks.

If you give me any project for find full website Bug i do it perfectly and nicely. And i also do it in Small Budget.


I'm waiting for your reply.


Thanks & Regards.

photo
Leave a Comment
 
Attach a file