Introduction

In modern web security, Rate Limiting is a critical defense. It's the "digital guard" that watches a login page and blocks your ip if you try too many request from the same ip.

But what if the guard is easily fooled? In this post, we'll walk through a common CTF challenge where we bypass this security measure by manipulating HTTP headers using Burp Suite.

The Challenge Overview

  • Target Email: ctf-player@picoctf.org
  • Goal: Brute-force the password to uncover a hidden secret.
  • The Obstacle: A rate-limiting mechanism that locks out repeated failed attempts from the same source (IP).
  • The Hint: The system might still trust "user-controlled headers."

Phase 1: The "What" and the "Why"

What is Rate Limiting?

It is a strategy used to limit network traffic. It puts a cap on how often someone can repeat an action within a certain timeframe — for example, trying to log in.

Why is it vulnerable here?

Most servers track your IP Address to decide when to block you. However, some servers are behind "Load Balancers" or "Proxies." To know the "real" IP of the user, they look at a specific HTTP header called: X-Forwarded-For.

The Vulnerability: If the server trusts this header blindly, an attacker can manually change it in every request. To the server, it looks like every single request is coming from a completely different person in a different part of the world!

Phase 2: The Step-by-Step Solve

1. Setup and Interception

First, we need to see how the website talk to the server.

  1. Open Burp Suite and go to the Proxy tab.
  2. Enable Intercept is ON.
  3. Open the Burp Built-in Browser and navigate to your challenge URL.
  4. Enter the email ctf-player@picoctf.org and a random password like test.
  5. Click Login.

2. Analyzing the Request

Back in Burp, you will see the raw data. It should look something like this:

POST /login HTTP/1.1
Host: amiable-citadel.picoctf.net:54081
Content-Type: application/json
{"email":"ctf-player@picoctf.org","password":"test"}

Right-click anywhere on this text and select Send to Intruder.

3. Configuring the "Pitchfork" Attack

Go to the Intruder tab and then the Positions sub-tab.

  1. Clear § all markers initially.
  2. Add the Bypass Header: Under the Host line, manually type: X-Forwarded-For: 10.0.0.§1§
  3. Marker the Password: Highlight the password test and click Add §. It should look like §test§.
  4. Set the Attack Type: At the top, change the dropdown from Sniper to Pitchfork.

Why Pitchfork? A "Sniper" attack changes one thing at a time. A "Pitchfork" attack changes two things at once. We want to change the IP address and the password at the same time so every guess has a fresh "mask."

4. Setting the Payloads

Go to the Payloads tab.

Payload Set 1 (The IP Number):

  • Payload Type: Numbers
  • From: 1
  • To: 1000 (or the size of your password list)
  • Step: 1

Payload Set 2 (The Passwords):

  • Payload Type: Simple List
  • Action: Click Load and select the password list provided in the challenge.

5. Launching the Attack

Click Start Attack. A new window will appear.

Phase 3: Finding the Flag

While the attack runs, watch the Length column or the Status column.

  1. Most requests will return a specific length (e.g., 1240) signifying a "Failed Login."
  2. Look for one row that has a different length or a different status code (like 302 Redirect or 200 with a larger size).
  3. Once you find that row, click on it.
  4. Look at the Response tab. Scroll through the HTML, and you will find your flag: picoCTF{...}.