Bypass rating limit

Basic info

Rate limiting is a fundamental security mechanism designed to prevent brute-force attacks, credential stuffing, and API abuse. However, many implementations contain weaknesses that attackers can exploit to bypass restrictions. This article explores advanced techniques used to evade rate limits, how tools like Burp Suite and ffuf automate attacks, and how security professionals can detect and mitigate these vulnerabilities.

Understanding Weak Rate-Limiting Mechanisms

Rate limits are typically enforced using one or more of the following strategies:

• IP-based limiting: Restricts requests from the same IP address.

• Session-based limiting: Limits actions within a specific user session.

• Header-based limiting: Uses custom headers to enforce restrictions.

• Time-based limiting: Allows a fixed number of requests per second/minute/hour.

Attackers bypass weak implementations by manipulating these constraints. Let's explore some advanced techniques.

Rate Limit Bypass Techniques

1. Exploring Similar Endpoints

Attackers look for variations of the targeted endpoint to see if rate limits apply inconsistently. Examples:

/api/v3/sign-up
/Sing-up
/SignUp
/singup
/api/v1/sign-up
/api/sign-up

By rotating between multiple endpoints, an attacker can bypass rate limits applied to a single endpoint.

2. Incorporating Blank Characters in Code or Parameters

Adding blank bytes such as %00, %0d%0a, %20 can fool poorly implemented rate limit checks. Example:

code=1234%0a

This tactic is useful for circumventing login attempt restrictions by injecting variations of credentials.

3. Manipulating IP Origin via Headers

Many rate-limiting systems rely on IP addresses to track request counts. Attackers manipulate headers such as:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwarded-Host: 127.0.0.1

By altering these headers, attackers can trick the server into treating repeated requests as coming from different users.

4. Changing Other Headers

Rate-limiting systems sometimes rely on tracking specific headers such as User-Agent or cookies. Attackers can:

• Rotate user-agents using browser automation tools.

• Clear or manipulate cookies with each request.

5. Leveraging API Gateway Behavior

Some API gateways enforce rate limits based on parameters. Attackers bypass these by:

/resetpwd?someparam=1
/resetpwd?someparam=2

By appending non-significant parameters, requests appear unique, circumventing the limit.

6. Logging Into Your Account Before Each Attempt

Some applications reset rate limits after successful logins. Attackers:

• Automate re-login before each brute-force attempt.

• Use Burp Suite’s Pitchfork Attack to rotate credentials.

7. Utilizing Proxy Networks

To evade IP-based rate limiting, attackers:

• Route traffic through Tor or VPNs.

• Use rotating proxies with tools like ffuf.

• Deploy botnets to distribute attack requests.

8. Splitting the Attack Across Different Accounts or Sessions

When rate limits apply per user session, attackers distribute requests among:

• Multiple fake accounts.

• Temporary guest sessions.

• Different user tokens.

9. Using Capital Letters or URL Case Changes

Imagine you have a login page at the URL /login. The system enforces a rate limit to prevent brute force attacks by restricting the number of login attempts a user can make in a given time frame. For instance, after 5 failed attempts within a minute, further login attempts from the same IP or account may be blocked temporarily.

However, in some systems, the rate-limiting mechanism may rely on the exact string of the URL, including its casing. If the system does not normalize the case of the URL when applying the rate limit, it could treat /login and /logiN (with the capital “N”) as two distinct endpoints.

Automating Rate Limit Bypass with Burp Suite & ffuf

Using Burp Suite for Rate Limit Bypass

Burp Suite’s Intruder module automates brute-force attacks while bypassing rate limits:

1. Set up Intruder to target the login endpoint.

2. Use Sniper or Pitchfork mode to rotate parameters.

3. Modify headers dynamically to evade detection.

4. Enable follow redirects to refresh rate limit counters.

Automating with ffuf

ffuf is a powerful tool for brute-force attacks that can be used to bypass rate limits.

# Using ffuf to bypass rate limits via header manipulation
ffuf -u https://target.com/login -w wordlist.txt -H "X-Forwarded-For: 127.0.0.1"
# Sending requests from multiple IPs using a proxy list
ffuf -u https://target.com/api/login -w wordlist.txt -H "X-Forwarded-For: FUZZ"
# Testing multiple endpoints simultaneously
ffuf -u https://target.com/FUZZ -w endpoints.txt -fc 403