Merge pull request #69 from snoopysecurity/new-vulns

feat: add rate limit bypass test

Author: snoopysecurity

README.md

@@ -38,6 +38,7 @@ This vulnerable application contains the following API/Web Service vulnerabiliti
 * XML Bomb Denial-of-Service
 * SOAP Injection
 * Cross-Site Request Forgery (CSRF)
+* Rate Limit Bypass
 * Client Side Template Injection
 
 ## Set Up Instructions

test/vulnerabilities.test.js

@@ -330,6 +330,7 @@ describe("DVWS-Node Vulnerability Tests", function () {
       const authFailed = responses.every(res => res.status === 401);
       expect(authFailed).to.eql(true);
     });
+
   });
 
   describe("26. CRLF Injection (Log Pollution)", function () {
@@ -453,4 +454,35 @@ describe("DVWS-Node Vulnerability Tests", function () {
       expect(adminUser).to.have.property('password', 'letmein');
     });
   });
+
+  describe("36. Rate Limit Bypass", function () {
+    it("should allow bypassing IP-based rate limit using X-Forwarded-For header", async function () {
+      // 1. Flood from a specific IP to trigger ban
+      const blockedIP = "192.168.1.200";
+      const attempts = 110; // Max is 100
+      const promises = [];
+      
+      for (let i = 0; i < attempts; i++) {
+        promises.push(
+          request
+            .post("/login")
+            .set("X-Forwarded-For", blockedIP)
+            .send({ username: "admin", password: "wrong" + i })
+        );
+      }
+      
+      const responses = await Promise.all(promises);
+      const rateLimited = responses.some(res => res.status === 429);
+      expect(rateLimited).to.eql(true, "Rate limit should have been triggered");
+
+      // 2. Bypass using a different IP via X-Forwarded-For
+      const bypassIP = "192.168.1.201";
+      const response = await request
+        .post("/login")
+        .set("X-Forwarded-For", bypassIP)
+        .send({ username: "admin", password: "password" });
+        
+      expect(response.status).to.not.equal(429, "Rate limit should be bypassed with new IP");
+    });
+  });
 });