Bypass rating limit
Bypass rate limits like a pro with VeryLazyTech—advanced exploits and lazy techniques unveiled!
Become VeryLazyTech member! 🎁
Follow us on:
✖ Twitter @VeryLazyTech.
👾 Github @VeryLazyTech.
📜 Medium @VeryLazyTech.
📺 YouTube @VeryLazyTech.
📩 Telegram @VeryLazyTech.
🕵️♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Basic info
Rate limiting is a fundamental security mechanism designed to prevent brute-force attacks, credential stuffing, and API abuse. However, many implementations contain weaknesses that attackers can exploit to bypass restrictions. This article explores advanced techniques used to evade rate limits, how tools like Burp Suite and ffuf automate attacks, and how security professionals can detect and mitigate these vulnerabilities.
Understanding Weak Rate-Limiting Mechanisms
Rate limits are typically enforced using one or more of the following strategies:
IP-based limiting: Restricts requests from the same IP address.
Session-based limiting: Limits actions within a specific user session.
Header-based limiting: Uses custom headers to enforce restrictions.
Time-based limiting: Allows a fixed number of requests per second/minute/hour.
Attackers bypass weak implementations by manipulating these constraints. Let's explore some advanced techniques.
Rate Limit Bypass Techniques
1. Exploring Similar Endpoints
Attackers look for variations of the targeted endpoint to see if rate limits apply inconsistently. Examples:
/api/v3/sign-up
/Sing-up
/SignUp
/singup
/api/v1/sign-up
/api/sign-up
By rotating between multiple endpoints, an attacker can bypass rate limits applied to a single endpoint.
2. Incorporating Blank Characters in Code or Parameters
Adding blank bytes such as %00
, %0d%0a
, %20
can fool poorly implemented rate limit checks. Example:
code=1234%0a
This tactic is useful for circumventing login attempt restrictions by injecting variations of credentials.
3. Manipulating IP Origin via Headers
Many rate-limiting systems rely on IP addresses to track request counts. Attackers manipulate headers such as:
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
By altering these headers, attackers can trick the server into treating repeated requests as coming from different users.
4. Changing Other Headers
Rate-limiting systems sometimes rely on tracking specific headers such as User-Agent
or cookies. Attackers can:
Rotate user-agents using browser automation tools.
Clear or manipulate cookies with each request.
5. Leveraging API Gateway Behavior
Some API gateways enforce rate limits based on parameters. Attackers bypass these by:
/resetpwd?someparam=1
/resetpwd?someparam=2
By appending non-significant parameters, requests appear unique, circumventing the limit.
6. Logging Into Your Account Before Each Attempt
Some applications reset rate limits after successful logins. Attackers:
Automate re-login before each brute-force attempt.
Use Burp Suite’s Pitchfork Attack to rotate credentials.
7. Utilizing Proxy Networks
To evade IP-based rate limiting, attackers:
Route traffic through Tor or VPNs.
Use rotating proxies with tools like ffuf.
Deploy botnets to distribute attack requests.
8. Splitting the Attack Across Different Accounts or Sessions
When rate limits apply per user session, attackers distribute requests among:
Multiple fake accounts.
Temporary guest sessions.
Different user tokens.
9. Using Capital Letters or URL Case Changes
Imagine you have a login page at the URL /login. The system enforces a rate limit to prevent brute force attacks by restricting the number of login attempts a user can make in a given time frame. For instance, after 5 failed attempts within a minute, further login attempts from the same IP or account may be blocked temporarily.
However, in some systems, the rate-limiting mechanism may rely on the exact string of the URL, including its casing. If the system does not normalize the case of the URL when applying the rate limit, it could treat /login
and /logiN
(with the capital “N”) as two distinct endpoints.
Automating Rate Limit Bypass with Burp Suite & ffuf
Using Burp Suite for Rate Limit Bypass
Burp Suite’s Intruder module automates brute-force attacks while bypassing rate limits:
Set up Intruder to target the login endpoint.
Use Sniper or Pitchfork mode to rotate parameters.
Modify headers dynamically to evade detection.
Enable follow redirects to refresh rate limit counters.
Automating with ffuf
ffuf
is a powerful tool for brute-force attacks that can be used to bypass rate limits.
# Using ffuf to bypass rate limits via header manipulation
ffuf -u https://target.com/login -w wordlist.txt -H "X-Forwarded-For: 127.0.0.1"
# Sending requests from multiple IPs using a proxy list
ffuf -u https://target.com/api/login -w wordlist.txt -H "X-Forwarded-For: FUZZ"
# Testing multiple endpoints simultaneously
ffuf -u https://target.com/FUZZ -w endpoints.txt -fc 403
Learn & practice For the OSCP.
Last updated
Was this helpful?