Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Rate Limit Circumvention Challenge

See original GitHub issue

Adding https://www.npmjs.com/package/ratelimiter to some route (e.g. login or change-password) would make an additional challenge possible where the rate limit needs to be circumvented somehow.

For this to work, ratelimiter needs to be misconfigured or maybe an older version with known weaknesses can be used. Needs to be analyzed.

Alternative 1: Write an own (broken) rate limiting feature.
Alternative 2: Typosquat ratelimiter and make it broken. (Risky because it might be kicked off npmjs.org at some point?)

Issue Analytics

State:
Created 6 years ago
Comments:5 (4 by maintainers)

Top GitHub Comments

2reactions

CaptainFreakcommented, Feb 2, 2018

I have some nice idea to implement this challenge. Like:-

1.Rate limit Bypass on BruteForce of Forgot Password Secret Token 2.Login Form Bruteforcing

Broken feature will be Implementation of rate limiting on the basis of Originating IP. which then can be bypassed by Spoofing X-Forwarded-For: IP Header.

Will look into ratelimiter and will look into any cool way of misconfiguring it.

0reactions

lock[bot]commented, Nov 4, 2019

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.