Rate-Limit Bypass

Rate Limit Bypass Techniques

There are two ways to do that

Customizing HTTP Methods
Adding Headers to Spoof IP

1. Customizing HTTP Methods

If the request goes on GET try to change it to POST, PUT, etc.,
If you wanna bypass the rate-limit in API's try HEAD method.

Rate Limit Bypass using Header

Use the following Header just Below the Host Header

X-Forwarded-For: IP
X-Forwarded-IP: IP
X-Client-IP: IP
X-Remote-IP: IP
X-Originating-IP: IP
X-Host: IP
X-Client: IP

#or use double X-Forwarded-For header
X-Forwarded-For:
X-Forwarded-For: IP

Adding HTTP Headers to Spoof IP and Evade Detection

These are Headers I've collected so far to Bypass Rate-Limits.

X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarder-For: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Custom-IP-Authorization: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

Rate Limit Bypass using Special Characters

Adding Null Byte ( %00 ) at the end of the Email can sometimes Bypass Rate Limit.
Try adding a Space Character after a Email. ( Not Encoded )
Some Common Characters that help bypassing Rate Limit : %0d , %2e , %09 , %20 , %0, %00, %0d%0a, %0a, %0C
Adding a slash(/) at the end of api endpoint can also Bypass Rate Limit. domain.com/v1/login -> domain.com/v1/login/

Using IP Rotate Burp Extension

Try changing the user-agent, the cookies... anything that could be able to identify you
If they are limiting to 10 tries per IP, every 10 tries change the IP inside the header. Change other headers
Burp Suite's Extension IP Rotate works well in many cases. Make sure you have Jython installed along.
Here You'll everything you need - https://github.com/PortSwigger/ip-rotate

You can find some more here - Check this out

You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd

Reference

https://twitter.com/m4ll0k2/status/1294983599943540738/photo/1
https://twitter.com/SalahHasoneh1/status/1287366496432332800
https://twitter.com/SMHTahsin33/status/1295054667613757441 (all in one must check)

Authors:

PreviousRate Limit Flaws NextNo Rate-Limit on Verify-PhoneNo

Last updated 4 years ago

Was this helpful?

hashtagRate Limit Bypass Techniques

hashtagThere are two ways to do that

hashtag1. Customizing HTTP Methods

hashtagRate Limit Bypass using Header

hashtagAdding HTTP Headers to Spoof IP and Evade Detection

hashtagRate Limit Bypass using Special Characters

hashtagUsing IP Rotate Burp Extension

hashtagYou can find some more here - Check this outarrow-up-right

hashtagYou can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd

hashtagReference

hashtagAuthors:

Rate Limit Bypass Techniques

There are two ways to do that

1. Customizing HTTP Methods

Rate Limit Bypass using Header

Adding HTTP Headers to Spoof IP and Evade Detection

Rate Limit Bypass using Special Characters

Using IP Rotate Burp Extension

You can find some more here - Check this out

You can find more with screenshot https://medium.com/@huzaifa_tahir/methods-to-bypass-rate-limit-5185e6c67ecd

Reference

Authors: