Hello guys, Hope everyone is well. I would like to share one of my findings.
What is Rate Limiting?
Rate limiting blocks users, bots, or applications that are over-using or abusing a web property. Rate limiting can stop certain kinds of bot attacks.
How I make use of this missing feature?
I was trying brute force with different values on application injection point which is authentication page. I found that there is no limitation for request in that particular web application what I'm testing.
All the request from IP address is getting validated by database and sending failure responses instead of HTTP rate limiting status code 429. At one point of time I found that my request with different authentication information is got successfully accepted and allowed to access the application interface though that is not my login that is the login details of some unknown user’s username & password what i given randomly in brute force wordlist.
How to Stop this kind of attacks?
To stop this kind of attacks kindly make use of rate limiting feature which will block the high number of requests from particular IP address on the particular time period.
Note: I didn’t add any POC details with this blog because the exploited application is an very sensitive application.
