heavenly's blog

software engineering, reverse engineering, and bug bounties

powered by hellish technology

ratelimits and public buckets

published on august 10, 2025 • edited on september 7, 2025 • • 189 views

in this post, i will explain my journey on finding ratelimiting issues and public bucket issues on a small app i frequent

tools used

postman, http toolkit and proxyman

what happened?

my client had a lack of ratelimiting on some crucial user related functionalities. so, i was able to crawl their entire app and extract basically the entire posts database as well as all the usernames affiliated with the app. in addition, my client also forgot to secure some buckets, as they were publicly accessible. thankfully, the buckets didn't carry sensitive data currently, but if they did, the story would be way different.

bug tags

ratelimiting: cwe-400 (uncontrolled resource consumption)
public bucket: cwe-552 (files or directories accessible to external parties); cwe-284 (improper access control)

ratelimits? public buckets?

ratelimits

ratelimits are basically to prevent endusers from abusing endpoints, by spamming them with requests.

public buckets

public buckets are bad because if misconfigured, they can be scraped or sensitive data can be leaked.

the action

my setup

i loaded up proxyman on my macbook, thankfully this app was also available on the macos app store, so i just loaded it up there, and ran proxyman on my macbook. then, i skimmed through the requests (clicked around in the app, watched the requests fly around in proxyman). unfortunately, i realized that all of the cool functionalities were hidden behind quic/http3, and i'm unfortunately not knowledgeable in how to decrypt those protocols.

what i noticed

i noticed a few interesting things off the bat, for one, some user data was networked that shouldn't have been (private information). i alerted the owner of the app of this issue as well. then, i noticed the usual interesting apis, a few get requests to read the main user feed, read user specific posts, and read comments on a post. to test my ratelimiting, i copied the proxyman request over to postman, and imported it into a collection named after this app. i spammed the send button a few times, and noticed that my requests were going through pretty easily, no blockers. i wrote up a script to crawl through the entire app, by reading the main feed, extracting all the comments and usernames associated with those comments, then searching through each commented user's posts and continuing the depth search. after extracting a fair chunk of the usernames and posts database, i saved my progress and submitted my bug bounty. the next bug i found was easier, because in the first bug i was reading through user profile data, i was curious about where the profile photos could be saved, as usually some private user data could be stored in the same location, unsecured. i checked out the link, and found an unsecured bucket. unfortunately (or fortunately!), there was nothing interesting in the bucket, however i still submitted that as a bounty as well.

results

what i learned

ratelimiting bugs are still a common issue, and so are public buckets. these are still worth investigating, as you can get some fun and interesting outcomes! writing a multithreaded impromptu database scraper was cool.

bounty

i got around $300 for this, so that was cool for something that just started out as a few little hobby tricks and a few hours. i also got an nda and future clearance to fiddle more with the apis!