🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Rate Limit Bypass Techniques
  • There are two ways to do that
  • 1. Customizing HTTP Methods
  • Rate Limit Bypass using Header
  • Adding HTTP Headers to Spoof IP and Evade Detection
  • Rate Limit Bypass using Special Characters
  • Using IP Rotate Burp Extension
  • You can find some more here - Check this out
  • You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd
  • Reference
  • Authors:
  1. Rate Limit

Rate-Limit Bypass

Rate Limit Bypass Techniques

There are two ways to do that

  • Customizing HTTP Methods

  • Adding Headers to Spoof IP

1. Customizing HTTP Methods

  • If the request goes on GET try to change it to POST, PUT, etc.,

  • If you wanna bypass the rate-limit in API's try HEAD method.

Rate Limit Bypass using Header

Use the following Header just Below the Host Header

X-Forwarded-For: IP
X-Forwarded-IP: IP
X-Client-IP: IP
X-Remote-IP: IP
X-Originating-IP: IP
X-Host: IP
X-Client: IP

#or use double X-Forwarded-For header
X-Forwarded-For:
X-Forwarded-For: IP

Adding HTTP Headers to Spoof IP and Evade Detection

  • These are Headers I've collected so far to Bypass Rate-Limits.

X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

Rate Limit Bypass using Special Characters

  • Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.

  • Try adding a Space Character after a Email. ( Not Encoded )

  • Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C

  • Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/

Using IP Rotate Burp Extension

  • Try changing the user-agent, the cookies... anything that could be able to identify you

  • If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers

  • Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython installed along.

  • Here You'll everything you need - https://github.com/PortSwigger/ip-rotate

You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd

Reference

  • https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1

  • https://twitter.com/SalahHasoneh1/status/1287366496432332800

  • https://twitter.com/SMHTahsin33/status/1295054667613757441 (all in one must check)

Authors:

PreviousRate Limit FlawsNextNo Rate-Limit on Verify-PhoneNo

Last updated 3 years ago

You can find some more here -

Check this out
Keshav Malik
0xd3vil
Virdoex_hunter
@0xCyberPirate