Rate Limit Bypass Due to Cryptographic Weakness

Javroot
3 min readJul 6, 2024

--

My name is Matin, a dedicated bug hunter and security researcher. I’m excited to present to you my inaugural write-up, which delves into a significant vulnerability discovered within a public program. Let’s embark on this hunting expedition together!”

First Step

1. Introduction

This report details a critical vulnerability discovered in the password set function of the application, which allows an attacker to bypass the rate limiting mechanism. This vulnerability can be exploited to perform brute force attacks or denial of service (DoS) attacks by repeatedly attempting to set a password without restriction.

Let's Start how to be found this MIS logical flow

I have after navigate to my target program, have found OTP flow as password function now let’s check and analysis how?

This request is my login function at OTP code first we need analysis token after sending 5 request i have found weakness at this token generation function, let's see :

But where is the weakness?

This is token structure :

The vulnerability exists in the implementation of the rate limiting mechanism within the password set function. Specifically, the function generates a logged_in_from_canonical_asset_id with the last three characters being randomly created. However, this randomness is predictable due to a weakness in the cryptographic implementation, enabling an attacker to bypass the rate limiting.

Now we need to write some code for generating my new token i have using a Golang:

package main

import (
"fmt"
"math/rand"
"time"
)

func generateCustomCode() string {
letters := "abcdefghijklmnopqrstuvwxyz"
numbers := "0123456789"
rand.Seed(time.Now().UnixNano())
code := make([]byte, 3)

for i := 0; i < 2; i++ {
code[i] = letters[rand.Intn(len(letters))]
}
code[2] = numbers[rand.Intn(len(numbers))]

return string(code)
}

func main() {
const numCodes = 1000
codes := make(map[string]bool, numCodes)

for len(codes) < numCodes {
code := generateCustomCode()
if !codes[code] {
codes[code] = true
fmt.Println(code)
}
}
}

we have after running this code 1000 random value, let's try for test on the application:

Conclusion

The discovery of the rate limit bypass vulnerability due to cryptographic weakness underscores the critical importance of secure cryptographic implementations in enforcing rate limits. This vulnerability poses significant risks, including the potential for brute force attacks and denial of service (DoS) attacks, which can severely compromise the security and availability of the application.

By addressing the identified cryptographic weaknesses and implementing the recommended mitigations, the security of the password setting functionality can be significantly enhanced. This will prevent attackers from bypassing rate limits, thereby protecting the application from abuse and ensuring robust security controls are in place. Ensuring the use of strong cryptographic practices and monitoring for unusual activity are essential steps in maintaining the integrity and reliability of the system.

Happy Hunting XD

--

--