Today we'll talk about how to bypass rate limiting
via Bypass Captcha
This article will be brief, meaning that we will explain the rate limiting in detail and Bypass Captcha in a later lesson.
what is rate Limiting ?
Rate limiting is a strategy for limiting network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe.
what is captcha?
Captcha is used mostly for security reasons we can use it to prevent:-
CSRF attacks, No Rate limit attacks, Brute Forcing , etc.
Let's talk today about my experience with captcha.I entered one of the hackerone programs Looking for bug .And when I went to the Create Account page, I found captcha, so I told myself that it must be here to prevent a rate limit attack from creating multiple accounts to see if the captcha value works or not.
1-I filled in the data then i intercept request using burp suite
2-i send request to repeater then go
3-I changed some values in the captcha values then go
4-I went back to the email to find two messages to create an account. Do you know what this means?
Yes, friend, your sense of security works well.We have bypassed captcha protection (captcha value is fixed).
Therefore, it accepts any values we enter. The important thing is that the captcha value should be 20 characters. We enter 20 characters regardless of who does the generate for captcha value.
In CSRF too is the same problem as CSRF value is fixed
5- I send request to intruder and clear values then select two value of captcha code.You can make payload list numbers from 10 to 99 .Or make payload type as numbers then make numbers from 10 to 99 step 1 as you like .
6-Start attack go back you email you will find it Fill with emails