- Customizing HTTP Methods
- Adding Headers to Spoof IP
- If the request goes on GET try to change it to POST, PUT, etc.,
- If you wanna bypass the rate-limit in API's try HEAD method.
Use the following Header just Below the Host Header
#or use double X-Forwarded-For header
- These are Headers I've collected so far to Bypass Rate-Limits.
- Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
- Try adding a Space Character after a Email. ( Not Encoded )
- Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
- Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit.
- Try changing the user-agent, the cookies... anything that could be able to identify you
- If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers
- Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython installed along.
- Here You'll everything you need - https://github.com/PortSwigger/ip-rotate
- https://twitter.com/SMHTahsin33/status/1295054667613757441 (all in one must check)