Credential-Stuffing-Attack-Simulator/Credential-Stuffing-Attack-Simulator-RateLimit-Bypass
GitHub: Credential-Stuffing-Attack-Simulator/Credential-Stuffing-Attack-Simulator-RateLimit-Bypass
Stars: 0 | Forks: 0
# Credential Stuffing Attack Simulator & Rate Limit Bypass Framework
Built for
Domain: Identity & Access Management (IAM)
# Overview
This project simulates realistic credential stuffing attacks against weakly protected authentication systems and demonstrates how attackers bypass naive rate-limiting implementations.
The platform is designed as a controlled adversary emulation framework for evaluating authentication security in cloud-native environments.
# Problem Statement
Credential stuffing attacks use leaked username-password combinations to gain unauthorized access to user accounts.
Many applications rely on weak rate-limiting mechanisms that attackers can bypass using:
- IP rotation
- User-Agent spoofing
- Timing randomization
- Header manipulation
This project demonstrates these attack techniques in a safe and controlled environment while also showcasing defensive mitigations.
# Project Objectives
The main objectives of this project are:
- Simulate credential stuffing attacks
- Demonstrate rate-limit bypass techniques
- Analyze weaknesses in naive rate limiting
- Visualize attack telemetry
- Recommend mitigation strategies
- Build a reproducible cloud-native security lab
# Planned Architecture
The platform consists of:
- Vulnerable Flask login application
- Nginx reverse proxy with configurable rate limiting
- Distributed attack engine
- Evasion modules
- Monitoring dashboard
- Logging and analytics layer
# Features
## Offensive Features
- Async credential stuffing engine
- Proxy/IP rotation
- User-Agent rotation
- Timing jitter evasion
- Header spoofing
- Success detection
## Defensive Features
- Request monitoring
- Attack telemetry
- Rate-limit analytics
- Mitigation recommendations
# Tech Stack
| Component | Technology |
| Backend | Flask |
| Attack Engine | Python asyncio + aiohttp |
| Reverse Proxy | Nginx |
| Database | SQLite |
| Dashboard | Flask + Chart.js |
| Containers | Docker Compose |
# MITRE ATT&CK Mapping
| Technique ID | Technique |
| T1110.004 | Credential Stuffing |
| T1078 | Valid Accounts |
| T1036 | Masquerading |
# Team Structure
| Role | Responsibility |
| Attack Engine Lead | Async attack framework |
| Evasion Lead | Rate-limit bypass modules |
| Infrastructure Lead | Flask + Nginx setup |
| Documentation & Defense Lead | Dashboard + reports |
# Disclaimer
This project was developed strictly for educational and authorized security research purposes within a controlled environment.
No real-world systems or unauthorized targets were used.
# Future Enhancements
- Adaptive rate limiting
- CAPTCHA simulation
- Behavioral detection
- Device fingerprinting
- Distributed worker orchestration