Over the past few years, web application developers have migrated from traditional architecture to API-driven architecture.  The authentication, authorization, sensitive data, etc are being handled by APIs these days. A misconfiguration or a vulnerability  is all an attacker needs to do significant damage

In this lab, we will take a look at how the lack of rate-limiting could be leveraged to perform brute force attacks and bypass authentication.

Objective: Brute force the 4 digit one-time password and bypass the authentication. 

URL: https://zl6h2bz2yh.execute-api.ap-southeast-1.amazonaws.com/dev