Day 28 comes with a good write up about rate limit and captcha bypass, also with deserialization attacks!
Rate limit and captcha bypass at the same time
From Rajesh Ranjan. I found a writeup in which researcher was able to bypass the rate limit and captcha at the same time. He Neither turned off Interception nor Forwarded the Request. Check out this writeup here.
From Sam (CoffeeJunkie). First to understand deserialzation, we have to understand that deserialization is the reverse process of serialization which is the process of turning data format that can be restored later. In the case of deserialization mechanisms can have malicious purposes such as DoS (Denial of Service), access control, and RCE (Remote Code Execution attacks). A good guidance for deserializing objects can be found here.
Write Up and case
The attacker started looking on how the request treated the data while analyzing the technologies that the target was running. The attacker found the following headers which were interesting in order to realize the deserialization object.
Content-type = ‘application/x-java-serialized-object
After looking at the technologies, the attacker followed resources for JSF exploitation and obtained a shell.