rate limit bypass

| February 16, 2023 | Updated: February 16, 2023
  1. Using different parameter, suppose rate limit is on signup, try to use:
    sign-up, Sign-up, SignUp

image
image
https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-5185e6c67ecd
2.Rate Limit Bypass Headers:
Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client. We All know that using X
Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection. Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One
time Can Bypass Ratelimit Protection
X-Forwarded: 127.0.0.1
X-Forwarded-By: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-For-Original: 127.0.0.1
X-Forwarded-For-Ip: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Forward-For: 127.0.0.1
Forwarded: 127.0.0.1
Forwarded-For: 127.0.0.1
Forwarded-For-Ip: 127.0.0.1
X-Originating-IP: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-True-Ip: 127.0.0.1

IP Header 2x times Instead of One time. (Tip from Kiraak Boy)


Sometimes, it is showing 20 Request per account, you can bypass it by using different IP after 20 attempts


3.Rate limit on OTP sms.
1) Capture the request.
2) Remove the country code +91 to [ ]
3) Modify the number from xxxxx-xxxxx to +91 xxxxx-xxxxx

4.Add this characters after the email or mobile
%00, %0d%0a, %09, %0C, %20(white-space value), %0


5.Just by adding random parameter (example: ?bypass) on the last endpoint.
image https://twitter.com/xchopath/status/1245402225788063744/photo/1
6.Changing user-agents or/and cookies

Leave a Reply

Your email address will not be published. Required fields are marked *