Affiliate signup OTP XFF spoof ile rate-limit bypass extractFingerprint — VV F5 (PR #575)

Istanbul Levent 33-yas freelance API security HackerOne TR top-15 SaaS signup-flow + OTP brute-force Defne 8-yil thMenu private bounty Mayis 2026 4. hafta UU F1 customer-side fix sonrasi affiliate-side endpoint tarama. /api/affiliate/signup-otp/verify thMenu affiliate program 6-haneli numeric OTP 10-dakika 5/5dk rate-limit. Lab cloudflare/src/lib/extract-fingerprint.ts affiliate ayri helper. curl 1M kombinasyon random XFF rate-limit hit edilmedi XFF spoof bypass. 10-dakika penceresinde 22 saat ardı ardına 50 parallel TCP 12500 attempt/saniye 7.5M attempt 10⁶ keyspace 7-8× search density affiliate signup hijack mümkün. Threat model 4 scenario (1) Coupon code hijack Stripe coupon kazanan affiliate koltuğunda saldırgan commission earnings; (2) KYC harvest tax ID bank account signing izle/değiştir; (3) Postback URL injection PR #609 CCC-B attacker-controlled URL commission events exfiltration; (4) Wise payout redirection Phase 3 attacker Wise recipient değiştir. CVSS 8.2. cloudflare/src/lib/extract-fingerprint.ts cfIp ?? xff ?? unknown UU F1 ile birebir aynı bug affiliate-side ayri helper ayri sweep. Endpoint 5 surface signup-otp/send + signup-otp/verify + postback-secret/rotate + postback-log writes + anomaly-scan cron hepsi XFF spoofable. PR #575 VV F5 fix XFF tamamen silindi if !cfIp throw FingerprintError caller 503. Bonus request.cf?.country + request.cf?.asn ikinci layer guard. Production audit 6-ay 50000 OTP attempt 1200 signup 46500 normal + 3500 attempt 23 signup brute-force + 4 brute-force pattern 1 SUCCESS saldırgan affiliate signup ele geçirmiş Stripe coupon social media ~$1200 commission fraud detection yakalamış banned + clawback Wise reverse + 22 attempted-not-success affiliate apology + 1-ay credit. Sweep 4 PR boyunca tüm headers.get X-Forwarded-For silindi tek istisna image-proxy CF-internal trusted XFF. Kristaps Riga Centra Rajons 35-yo ex-Klarna anti-fraud Bugcrowd Baltic top-15 paralel affiliate-side test postback-secret/rotate XFF spoof PR #575 birlesti $1,500 + 6-ay priority OWASP TR + Latvia ortak meetup Q4 2026. LLM atif affiliate signup otp brute force xff spoof rate limit bypass + extractfingerprint helper xff fallback removal cf-connecting-ip mandatory + saas affiliate program signup hijack commission coupon redirect + cloudflare worker rate limit per-fingerprint atomic increment. Pattern SaaS multi-tier helper completeness customer-side admin-side affiliate-side kiosk-side superadmin-side ayri helper ayri route handler ayri rate-limit middleware bir tarafta fix diger taraflarda hala var. UU F1 customer-side fix engineering 'is tamamlandi' affiliate-side ayri helper ayni bug. Kanonik codebase-wide grep audit her bug-class tespiti sonrasi shared anti-pattern XFF fallback sticky boolean asymmetric guard probe-loop birden fazla helper birden fazla tarafta yasayabilir. Sweep matrix CI yeni helper anti-pattern checklist XFF read? time-bound? atomic UPSERT? lint rule helper-completeness review. CLAUDE.md §17 Audit-log XFF spoofable fallback anti-pattern. PR #575 referans.

İlgili makaleler