AppSecNotes
Bypass Brute-Force Protection
  1. Watch out for patterns in the brute-force protection:
    • if blocking the IP after every 3 incorrect attempts we can insert our valid credentials after every 2 attempts in the wordlist;
    • if locking down accounts after 5 incorrect attempts we can try 4 requests per account.
  2. Test different IPs in the following headers to figure out which one might be being used by the server side to fetch the IP of client requests:
    • X-Real-IP
    • X-Forwarded-For
    • X-Originating-IP
    • Client-IP
    • True-Client-IP