usually, ip addresses with multiple failed login attempts should be
blocked. An attacker could bypass this by sending an X-forwarded-for
header and change that IP with each attempt. Since REMMOTE_ADDR
is harder to fake we should first check that one and only if that one is
not set for some reason, rely on other variables.
Hi team,
I found a way to bypass account protection (not blocked when brute-force account).
Step: *this is demo some cases
If I log in wrongly too many times, it will be locked

But i can pass it by insert X-Forwarded-For header, then brute-force without being locked (use intruder plugin of burp suite)

set payload to brute-force and start attack


Result find user (bypass account protection without blocked)

The text was updated successfully, but these errors were encountered: