API Rate-Limit Restriction (3 request maximum) Bypass using Race Condition

[0xygyn-X]

Describe the bug
A clear and concise description of what the bug is.

Rate-limit restriction helps ensure a certain threshold is put in place to prevent excessive request.

AIxBlock has put in place a rate-limit restriction helps protect that prevent multiple requests within a time-frame.

The restriction put in place by AIxBlock is currently -- 3 requests on password reset before you get rate-limited (you will be forced to wait for 5 minutes before you can send your 4th request)

Leveraging on race-condition vulnerability on password reset endpoint, the restriction of 3 requests was bypassed allowing a threat actor to send more than 3 requests. Hence, the protection put in place was bypassed.

To Reproduce
Steps to reproduce the behavior:

Go to Account Settings --> Profile Settings --> Reset Password (Internal or External Password Reset Functionality)

Enter targeted email address --> Click on Confirm --> 'https://app.aixblock.io/user/reset-password'

Intercept the request using your preferred proxy tool (I used Burp suite proxy)

Forward the request to Turbo Intruder or your preferred -- concurrency / threading tools.

Use the payload below or modify it to suite your result (more threads / connection)

Payload:

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=300,
pipeline=True,
engine=Engine.THREADED
)

for x in range(30):
engine.queue(target.req, x)

def handleResponse(req, interesting):
table.add(req)

Video:
https://drive.google.com/file/d/1Bjm1no8JtFn8l1WLTqNPDHNX96kiUeyq/view?usp=sharing
https://drive.google.com/file/d/1kMa2pD0rQAWNEIjo6a4c_rXV7TMZbr-z/view?usp=sharing

Expected behavior
As AIxBlock team has implemented Rate-Limit protection, also ensure Race-Condition (multi-threading / concurrency) protection is enforced. Ensure rate-limit restriction bypass via concurrency or multi-threading flaw is also enforced by using semaphore or thread locking methods.

Screenshots
Find attached video

Desktop (please complete the following information):

OS: Ubuntu
Browser: Firefox

[tqphu27]

We acknowledge receipt of your submission. Thank you — we will respond within 7 days.
Please make sure you star the repository, fork it, and submit a valid Pull Request — submissions that don’t meet these requirements may be considered invalid.