Hello everyone,
This is my second blog and you can read my first blog Here .. follow me on Instagram and Twitter.
what is Rate limit ?
No rate limit is a flaw that doesn’t limit the no. of attempts one makes on a website server to extract data. It is a vulnerability that can prove critical when misused by attackers. REAL LIFE EXAMPLES: When you try to log in to your account, after 3–4 wrong attempts, your account gets suspended for some hours.
so I'm working on a private program that is a grocery selling website and I'm checking the log-in security-related bugs, here we can only of in via OTP. So I was trying to log in without OTP then I realize to check the rate limit. I sent an OTP to my number and to resend OTP you have to wait for one minute after one minute you can send another OTP then I open my burp suite and capture send OTP request and send it to the intruder.
Click on “Intruder” tab -> click “Position” -> click “Clear” button, and click on “Payloads”, under payload type -> Select “Null payloads” In generate input enter 50.
As I said above that you can send OTP after 1 minute for that you have to go to options and change the number of Throttle milliseconds to “61000”
Click on “Start Attack” button and BOOM. After every one min i get otp on my number
Reported on: Aug 25, 2022
Response on: Aug 25, 2022
Got Duplicate on Tue, Aug 30
Thanks for reading.