Bypassing Rate Limits via Race Conditions

Опубликовано: 18 Декабрь 2023
на канале: Intigriti

7,417

161

👩‍🎓👨‍🎓 Learn about Race Condition vulnerabilities and how to exploit them! This lab's login mechanism uses rate limiting to defend against brute-force attacks. However, this can be bypassed due to a race condition. To solve the lab, we need to work out how to exploit the race condition to bypass the rate limit, successfully brute force the password for carlos, log in to the admin panel and delete the user carlos 😎 #websecurity #bugbounty #portswigger #burpsuite

Overview:
0:00 Intro
0:10 Recap
1:32 Detecting and exploiting limit overrun race conditions with Turbo Intruder
3:11 Lab: Bypassing rate limits via race conditions
4:13 Explore login functionality to identify rate limiting conditions
4:55 Probe step 1: send requests as a sequence
5:50 Probe step 2: send requests in parallel
7:29 Prove: develop turbo intruder script/payload
10:03 Bonus: more on turbo intruder
16:06 Summary
16:35 Conclusion

If you're struggling with the concepts covered in this lab, please review https://portswigger.net/web-security/... 🧠

🔗 Portswigger challenge: https://portswigger.net/web-security/...

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com