From a53839b788f29023fdc99afca73999531408187f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 11 Jul 2025 01:30:33 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/pentesting-web/rate-limit-bypa... --- .../reversing-native-libraries.md | 8 +- src/pentesting-web/rate-limit-bypass.md | 73 +++++++++++++++++-- 2 files changed, 72 insertions(+), 9 deletions(-) diff --git a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md index 03213da50..ea060841d 100644 --- a/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md +++ b/src/mobile-pentesting/android-app-pentesting/reversing-native-libraries.md @@ -61,7 +61,7 @@ Java.perform(function () { }); }); ``` -Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. citeturn5search2turn5search0 +Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) as long as you use frida-server 16.2 or later – earlier versions failed to locate padding for inline hooks. --- @@ -69,7 +69,7 @@ Frida will work out of the box on PAC/BTI-enabled devices (Pixel 8/Android 14+) | Year | CVE | Affected library | Notes | |------|-----|------------------|-------| -|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| citeturn2search0| +|2023|CVE-2023-4863|`libwebp` ≤ 1.3.1|Heap buffer overflow reachable from native code that decodes WebP images. Several Android apps bundle vulnerable versions. When you see a `libwebp.so` inside an APK, check its version and attempt exploitation or patching.| | |2024|Multiple|OpenSSL 3.x series|Several memory-safety and padding-oracle issues. Many Flutter & ReactNative bundles ship their own `libcrypto.so`.| When you spot *third-party* `.so` files inside an APK, always cross-check their hash against upstream advisories. SCA (Software Composition Analysis) is uncommon on mobile, so outdated vulnerable builds are rampant. @@ -92,7 +92,7 @@ When you spot *third-party* `.so` files inside an APK, always cross-check their ### References -- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) citeturn5search0 -- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) citeturn2search0 +- Frida 16.x change-log (Android hooking, tiny-function relocation) – [frida.re/news](https://frida.re/news/) +- NVD advisory for `libwebp` overflow CVE-2023-4863 – [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/rate-limit-bypass.md b/src/pentesting-web/rate-limit-bypass.md index 615692401..30c40cecf 100644 --- a/src/pentesting-web/rate-limit-bypass.md +++ b/src/pentesting-web/rate-limit-bypass.md @@ -54,11 +54,74 @@ If the target system applies rate limits on a per-account or per-session basis, Note that even if a rate limit is in place you should try to see if the response is different when the valid OTP is sent. In [**this post**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732), the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received. -### Tools +--- -- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): hashtag-fuzz is a fuzzing tool designed to test and bypass WAFs and CDNs. By leveraging advanced features such as random User-Agent and header value, random delays, handle multi-threading, selective chunking of wordlists and Round Robin proxy rotation for each chunked, it offers a robust solution for security professionals aiming to identify vulnerabilities in web applications. +### Abusing HTTP/2 multiplexing & request pipelining (2023-2025) + +Modern rate–limiter implementations frequently count **TCP connections** (or even individual HTTP/1.1 requests) instead of the *number of HTTP/2 streams* a connection contains. When the same TLS connection is reused, an attacker can open hundreds of parallel streams, each carrying a separate request, while the gateway only deducts *one* request from the quota. + +```bash +# Send 100 POST requests in a single HTTP/2 connection with curl +seq 1 100 | xargs -I@ -P0 curl -k --http2-prior-knowledge -X POST \ + -H "Content-Type: application/json" \ + -d '{"code":"@"}' https://target/api/v2/verify &>/dev/null +``` + +If the limiter protects only `/verify` but not `/api/v2/verify`, you can also combine **path confusion** with HTTP/2 multiplexing for *extremely* high-speed OTP or credential brute-forcing. + +> 🐾 **Tip:** PortSwigger’s [Turbo Intruder](https://portswigger.net/research/turbo-intruder) supports HTTP/2 and lets you fine-tune `maxConcurrentConnections` and `requestsPerConnection` to automate this attack. + +### GraphQL aliases & batched operations + +GraphQL allows the client to send **several logically independent queries or mutations in a single request** by prefixing them with *aliases*. Because the server executes every alias but the rate-limiter often counts only *one* request, this is a reliable bypass for login or password-reset throttling. + +```graphql +mutation bruteForceOTP { + a: verify(code:"111111") { token } + b: verify(code:"222222") { token } + c: verify(code:"333333") { token } + # … add up to dozens of aliases … +} +``` + +Look at the response: exactly one alias will return 200 OK when the correct code is hit, while the others are rate-limited. + +The technique was popularised by PortSwigger’s research on “GraphQL batching & aliases” in 2023 and has been responsible for many recent bug-bounty payouts. + +### Abuse of *batch* or *bulk* REST endpoints + +Some APIs expose helper endpoints such as `/v2/batch` or accept an **array of objects** in the request body. If the limiter is placed in front of the *legacy* endpoints only, wrapping multiple operations inside a single bulk request may completely sidestep the protection. + +```json +[ + {"path": "/login", "method": "POST", "body": {"user":"bob","pass":"123"}}, + {"path": "/login", "method": "POST", "body": {"user":"bob","pass":"456"}} +] +``` + +### Timing the sliding-window + +A classic token-bucket or leaky-bucket limiter *resets* on a fixed time boundary (for example, every minute). If the window is known (e.g. via error messages such as `X-RateLimit-Reset: 27`), fire the maximum allowed number of requests **just before** the bucket resets, then immediately fire another full burst. + +``` +|<-- 60 s window ‑->|<-- 60 s window ‑->| + ###### ###### +``` + +This simple optimisation can more than double your throughput without touching any other bypass technique. + +--- + +## Tools + +- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): Fuzzing tool that supports header randomisation, chunked word-lists and round-robin proxy rotation. +- [**https://github.com/ustayready/fireprox**](https://github.com/ustayready/fireprox): Automatically creates disposable AWS API Gateway endpoints so every request originates from a different IP address – perfect for defeating IP-based throttling. +- **Burp Suite – IPRotate + extension**: Uses a pool of SOCKS/HTTP proxies (or AWS API Gateway) to rotate the source IP transparently during *Intruder* and *Turbo Intruder* attacks. +- **Turbo Intruder (BApp)**: High-performance attack engine supporting HTTP/2 multiplexing; tune `requestsPerConnection` to 100-1000 to collapse hundreds of requests into a single connection. + +## References + +- PortSwigger Research – “Bypassing rate limits with GraphQL aliasing” (2023) +- PortSwigger Research – “HTTP/2: The Sequel is Always Worse” (section *Connection-based throttling*) (2024) {{#include ../banners/hacktricks-training.md}} - - -