Saturday 30 June 2018

Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass

Hello All While pentesting an application we might face some problem of  Brute Force Protection , Login Attempt Protection And Captcha Based Protection , So today we will see how can "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"

First of all we will not use any kind of ready made tools for this , So lets begin !

Many people will think that this is a small issue, But if we look closely an attacker point of view then we will came to know , that By Brute Forcing any login panel can allows an attacker to gain administrative privilege instead of looking for vulnerabilities like RCE , SQL Injection and other critical vulnerability which might also allow us to take the Root or Administrator Level access.

Here i am describing many different techniques which i have observed while pentesting or hunting bugs.

1. Using Random User - Agent 

Many web application track the user attempt on the bases of user agent ( Browser ) , So it might be possible to Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass By using random User Agent Strings ( Click Here For User Agent Strings )

2. Cookies Based Protection

In my recent Pentesting , i observe that whenever we send multiple login request to web application , then its actually comparing by the cookies values by web server to count our login hit , So if we remove the cookies from every request while performing brute forcing the application then we might be actually "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"

3. The Whole New Iframe Trick

Be frank i am still not able to know , Why this tricks work , But it is interesting for me.

Before some month i was pentesting an web application which had couple of roles like admin , write and viewer

There was a captcha on login panel which bothering me every time while logged in , So i tried to bypass that.

Dont know what happened , I just load that login page in an Iframe and SHOCK ! the captcha was not there , And then i logged in with only username and password and SHITT ! i was in.

4. Changing Referrer Value

I also found that Some web application check referrer to detect our login attempt , So We can simple change the referrer value to any external domain , which will trick the application to think that , We are a new user came from an external domain,So you might be able to "Bypass Rate Limit Brute Force Protection Login Attempt Protection Captcha Bypass"

5. Mobile Version

This is an old very known technique , Found by one of my friend.

Many web application have their mobile version site , Which may lack any kind of login attempt security ,

You can simple try to access mobile version by google , try to add , and

there are many types of URL there you can try them out.

6. Using The Same Captcha

By some miss configuration , Some web application are vulnerable with this , Whenever web application ask you for captcha while login , Simple intercept the request the only change the password or username value where you want to attack and keep the captcha value as before and then attack , You will see that same captcha works for all request.

7. Time Delay Login Attack

Some web application detect the login attempt on Time Interval during every login request , So we can set a time delay in our every request which might be "Bypass Brute Force Protection"

8. Changing User Name While Attacking

Some web application login attempt behaviour is depend on which username the attacker is attacking , Like if you will attacker on username "admin" continuously more then 5 times then it will block you directly , To ride out of it , First we have to analysed that after how many attempts on any username application is blocking us , After analysing we can continue our attack with first 4 attempt with valid username and 5th attempt as invalid username , then again next 4 attempt as valid username and then attempts as invalid user name , By using we can also bypass the brute force protection

Thats all i observe and found , I will update the post asap if  i found something more useful things. Thanks

Comments are always welcome. :)


  1. bro i have issue with this => The Whole New Iframe Trick i didnt understand how to perform this attack and Changing Referrer Value can, u have video tut for these things,..??

  2. Ali , The iframe attack is still miss-understood for me. But as per the hands on, You can load the login page into an Iframe Tag
    Now some captcha`s or login attempt security might be stop work when resource loaded into an Iframe.
    So by loading the page into an iframe may be lead to miss-functionality which can be allow user to bypass login attempt protection