Security Issue - Bypass of Rate Limiting Mechanism

Question

Security Issue - Bypass of Rate Limiting Mechanism

Closed this issue 6 months ago · 4 comments

Is this a BUG REPORT or FEATURE REQUEST?:

BUG
FEATURE

What happened:
The vulnerability includes a bypass in the implementation of the rate-limiting mechanism, which blocks a malicious actor’s IP address while performing suspicious login attempts toward the system's authentication mechanism. This can be done by appending the "X-Forwarded-For" header to each login request and by that, the backend "considers" this as a new IP address, allowing to carry on with a successful brute force attack.

What did you expect to happen:
Avoid IP spoofing by unsetting the X-Forwarded-For header to determine the originated user’s IP address. If not possible, prevent spoofing of the X-Forwarded-For header in Node.js by configuring Express to trust only specific proxies with known IP ranges using the trustProxy setting and verifying the IP address against a whitelist.

How to reproduce it (as minimally and precisely as possible):

Access the system's login page prior to the authentication phase.
Send multiple login requests to a single user with invalid passwords.
Notice the HTTP 429 status code returned in the response after a couple of attempts, indicating the IP address has been blocked temporarily.
Add the "X-Forwarded-For" header to the request using Proxy tools and set it to a different value on each attempt. (e.g., 127.0.0.1, 127.0.0.2, 127.0.0.3).
Proceed with the brute force attack until a successful attempt has been made to guess the correct user's password.
Obtain unauthorized access to the system using an admin account, for example.

Anything else we need to know?:
Nothing else. I'm available for further questions.

Environment:

Trudesk Version: (Docker) polonel/trudesk:1.2.10
OS (e.g. from /etc/os-release): (Docker) Alpine Linux v3.15.4
Node.JS Version: v16.14.2
MongoDB Version: (Docker) mongo:5.0-focal
Is this hosted on cloud.trudesk.io: No

Below is a PoC:

2024-04-19.12-33-22.mp4

Answer 1 · 2024-05-19T21:36:49.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 2 · 2024-05-20T15:58:58.000Z

Hi, any feedback?

Answer 3 · 2024-06-20T21:37:24.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

Answer 4 · 2024-06-25T21:37:58.000Z

This issue was closed because it has been stalled for 5 days with no activity.