8 different techniques to Bypass Rate Limits in Web Applications and API's.
[A Thread š§µ]
#bugbounty #bugbountytips #cybersecurity #AppSec
[A Thread š§µ]
#bugbounty #bugbountytips #cybersecurity #AppSec
- What is Rate Limit
Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.
Bypasses š
Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.
Bypasses š
- Where to Look for Rate Limit Bugs
Place like :
- Login/Signup pages
- Register Pages
- 2FA codes
- Confirmation Codes
and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.
Bypasses š
Place like :
- Login/Signup pages
- Register Pages
- 2FA codes
- Confirmation Codes
and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.
Bypasses š
[Bypass 1] - Using Null Chars
%00, %0d%0a, %09, %0C, %20, %0
Example:
- Bruteforce with snapsec@gmail.com
- After some time you will be blocked
- Now Bruteforce with snapsec@gmail.com%00 and check if you are able continue bruteforce it
%00, %0d%0a, %09, %0C, %20, %0
Example:
- Bruteforce with snapsec@gmail.com
- After some time you will be blocked
- Now Bruteforce with snapsec@gmail.com%00 and check if you are able continue bruteforce it
[Bypass 2] - Adding Spaces
A webserver may strip off extra spaces added to email/username at the backend, Which may allow you to bruteforce the same email by appending an extra space every time you are blocked.
A webserver may strip off extra spaces added to email/username at the backend, Which may allow you to bruteforce the same email by appending an extra space every time you are blocked.
[Bypass 3] - Host Header Injection
Try Modifying Host header of the request after being blocked by the server
Change Host:www,newsite,com
Change Host:localhost
Change Host:127.0.0.1
Try Modifying Host header of the request after being blocked by the server
Change Host:www,newsite,com
Change Host:localhost
Change Host:127.0.0.1
[Bypass 4] - Changing Cookies
Try changing Session cookie after being blocked by the server. This can be achieved by figuring out which request is responsible to set session cookies to the user and then use that request to update session cookie everytime you are blocked.
Try changing Session cookie after being blocked by the server. This can be achieved by figuring out which request is responsible to set session cookies to the user and then use that request to update session cookie everytime you are blocked.
[Bypass 5] - X-forwarded-For
- dig target[.]com
- Change The X-Forwarded-For:[Website-ip]
This may confuse WAF/server/loadbalancer, as if requests are being forwarded to another host but will be forwarded to same target host hence will allow you to bypass the rate limit.
- dig target[.]com
- Change The X-Forwarded-For:[Website-ip]
This may confuse WAF/server/loadbalancer, as if requests are being forwarded to another host but will be forwarded to same target host hence will allow you to bypass the rate limit.
[Bypass 6] - Confuse server with correct attempts
If the server is blocking you after 20 attempts, Try bruteforcing with 19 attempts and use your credentials to login to your account on 20th attempt and then repeat the process.
If the server is blocking you after 20 attempts, Try bruteforcing with 19 attempts and use your credentials to login to your account on 20th attempt and then repeat the process.
[Bypass 7] - Updating target Paths
appending random param=value may sometimes bypass rate limit on the endpoint
Eg:
- Bruteforce /api/v1/users/<id>
- Got blocked after 200 attempts
- Now Bruteforce /api/v1/users/<id>?xyz=123
- and change the param=value after each 200 attempts
appending random param=value may sometimes bypass rate limit on the endpoint
Eg:
- Bruteforce /api/v1/users/<id>
- Got blocked after 200 attempts
- Now Bruteforce /api/v1/users/<id>?xyz=123
- and change the param=value after each 200 attempts
[Bypass 8] - Ip based Rate limits
Ip based rate limits can be easily bypassed by changing the Ip address of your machine. The alternative would be using IP Rotate Burp Extension.
Ip based rate limits can be easily bypassed by changing the Ip address of your machine. The alternative would be using IP Rotate Burp Extension.
ā¢ ā¢ ā¢
Missing some Tweet in this thread? You can try to
force a refresh
ć
