Hello everyone!
Today I am going to share with you my experience of finding my first P4 vulnerability on a private program. The bug I have found is Rate Limiting.
So let's get into our story and learn how you can also find one.
I am a beginner and I don’t know more about bug hunting. I have just started learning and experimenting on different private and public platforms of the vulnerabilities I have known so far, and none of them were actually in scope coz they are p5 or not acceptable, my bad. Like any other day, I am going through some of the reports in Hackerone and found an interesting bug, which I loved at the very first instance.
By this time you should have already guessed it(as I have mentioned earlier 😉) So, I had some private programs on my list and I started checking for this vulnerability on those websites. Fortunately, I have found it on the first try itself. I have tried the steps on the Password Reset Form and Boom!!! my email was flooded with messages. I was happy as I got my first Rate Limiting bug and without any delay, I have reported it and was checking for other fields and found nothing.
Now I was waiting for their reply, after an hour or so I got an email from them. I have opened it and found out that my report was duplicated as someone has already reported it to them 🥲. Well, this is not new to me as this is not my first duplicate 😅. So as my adrenaline rush came down a bit, I have started looking for the same on other websites too and found some and reported them back.
So here is my story on how I got my first P4 bug. It is a simple and very easily found vulnerability out there. So now let's learn how we can actually find one.
Choose a website you want to try this vulnerability on.
Check for fields where the website will send an email to the victim, for example: password reset fields, email confirmations, OTP verification, Login Requests — To block someone’s account by giving wrong credentials.
Now give the victim email in the required field and capture the request in the burp suite.
Send the request to Intruder, in the positions tab clear all the fields, and in the payloads tab select NULL payloads as payload type and generate more than 100 payloads.
Click on the start button and see if you are getting 200 responses. If you are getting other than 200 responses then there is Rate Limiting applied and thus it is not vulnerable.
But if you are getting 200 responses for all the requests you are making then there you go, you got your bug!!!
How can this be Dangerous
Technically this is not dangerous, but it can be used to defame an organization. Because if a person receives such a huge amount of emails, they are going to assume that there is something wrong with the organization. So this will create a bad reputation for the organization.
Why rate limiting is used
Rate limiting is generally put in place as a defensive measure for services. Services need to protect themselves from excessive use — whether intended or unintended — to maintain service availability. Even highly scalable systems should have limits on consumption at some level.
PS: This is the very first post I am publishing, I would love to hear your feedback and improve myself. I am currently an undergraduate student and I am hoping in creating much more content. I will try to upload posts as regularly as I can.
Till then Take Care and Happy Hacking!!!
