Wednesday, 23 November 2016

Slack Rate Limit Bypass

Slack Rate Limit Bypass


First of all, Thanks to all readers for the appreciation got in my inbox.

Today we will see, How i was able to Bypass The Rate Limit Implemented In Slack for preventing automated/brute force attempts.

Rate limit is now days a very common things, They can be found every where.Usually rate limit are deployed to prevent automated and brute force attempts, Such as brute forcing OTP (One Time Password) & User Account Passwords. 

From recent months, I was working on Slack Bug Bounty Program and y god grace got more then 15 valid vulnerabilities till today(Some of the still in fixing stage). One of the interesting vulnerability was Slack Rate Limit Bypass. 

First of all, I was reported  No Rate Limit Implemented Vulnerability On Slack(Which was not true) :p In slack Mobile Applications End-Point "/api/auth.signin" , I was looking for positive response from slack guys, Next day slack replied that my report is not proper as they have rate limit implemented. Now what was wrong?


This Was My First POC(Invalid)



Actually in my POC i was using Burp Free Edition which have request throttling in Intruder Attack. 
That means i have tried only 100 attempt with time throttle of 5 seconds for each request, which not looks good.As a result Slack Rate Limit is not getting triaged in only 100 attempt with time throttle, Also for a real attack scenario attacker need to send 1000 of request in every minute. 

To confirm this behavior, I tried 1000 attempts with 30 threads without Time Throttling .At the end of the attack i was silently rate limited as Said by Slack Team Member :( 

For a quick POC, I forgot to tried this same attack without time throttling.After many discussion, Finally slack closed my report as Informative and i was totally agree with this decision.



I was like



******

After 2 days, I decide to give an another try on same vulnerability.I tried different techniques, Finally one of the technique worked which i also mention in my  Post http://www.websecgeeks.com/2015/06/bypass-brute-force-protection-login.html

I  tried every request with a different User Agent Values.With 100 Threads :p And 1340 Attempts In Less then 40 seconds.(Very Fast Actually =D )




Which tricking the Slack Rate Limit Logic to treat/count every attempt as a new request. As a result Attacker can perform multiple tons of attempts on different end-points. Such as OTP(One Time Password "/api/auth.signin") & Password.(Slack is not using Strong Password Enforcement Policy, Hence user can set password as "abc123" which can be crack easily.

Below,We can see that One of the attempt number 1340 responded without "invalid pin", Which indicate a different response(Response with 0Auth Tokens,xxid etc.) as compare to other attempts.


Second POC Video With 1340 Attempt, Without Time Throttling 


Finally i started dancing :p


This vulnerability was allowing me to Brute Force the User Authentication & OTP end points.

After fixing, Slack deployed a strict rate limit logic.

Slack rewarded $500 for this vulnerability.

Full report can be found here - https://hackerone.com/reports/165727

Comments are always welcome.