Rate limiting is a process to limiting the number of request an user can make to a web server in an span of time. This can be achieved by implementing IP based, Session Based rate limits on web server.
Bypasses ๐
- Where to Look for Rate Limit Bugs
Place like :
- Login/Signup pages
- Register Pages
- 2FA codes
- Confirmation Codes
and any other request which if bruteforce will allow attacker to achieve anything malicious should be check for "No Rate Limit" issue.
An insecure CORS configuration allows any website to trigger requests with user credentials to the target application and read the responses thus enabling attackers to perform privileged actions or to retrieve potential sensitive information