Home > Website Pentesting

Rate Limit Bypass

Rate Limit Bypass

Rate limit bypass occurs when an attacker circumvents the application’s intended request throttling or usage restrictions. Rate limiting is designed to control how often a user can perform a specific action within a given timeframe. When improperly implemented, attackers can send unlimited requests, enabling brute force, enumeration, account takeover, spam, denial-of-service, and large-scale abuse of the application's features.

Business logic attacks often arise from assumptions—developers design workflows for honest users, not attackers who modify requests, automate traffic, and exploit weak enforcement. Rate limit bypass is one of the most common logic flaws.

Understanding Rate Limits

Rate limiting aims to restrict:

  • login attempts

  • OTP or verification requests

  • password reset attempts

  • search or filtering operations

  • comment or message submissions

  • API calls

  • resource-intensive actions

  • checkout or purchase flows

A basic rate limit might allow:

5 requests per minute per user

If attackers can bypass or reset the limit, the protection becomes useless.

How Rate Limit Bypass Happens

Rate limit bypass occurs due to:

  • enforcing limits based on client-controlled values

  • trusting headers that can be spoofed

  • keying limits on weak identifiers

  • lack of global or server-side tracking

  • relying on front-end UI restrictions

  • using naive IP-based rate limiting

Attackers manipulate the rate-limiting logic to send unlimited requests.

Common Rate Limit Bypass Techniques

1. IP Spoofing via Headers

Applications often trust headers such as:

  • X-Forwarded-For

  • X-Real-IP

  • Client-IP

Attackers rotate header values:

X-Forwarded-For: 1.1.1.1
X-Forwarded-For: 2.2.2.2

If rate limit is IP-based and trusts headers → bypass.

2. Rotating Proxy or VPN IPs

Simple but effective:

  • load balancers

  • Tor exit nodes

  • botnets

  • public proxies

Each IP resets rate limits.

3. Changing Request Methods

Some rate limits apply only to specific methods.

Example:

POST /login  → rate limited
GET /login   → not limited

Attackers switch methods to bypass.

4. Parameter Pollution

Injecting multiple values:

email=test@example.com&email=victim@example.com

If backend misinterprets it, the request may bypass filters.

5. Multiple Endpoints Trigger Same Action

Rate limit might exist only on:

POST /login

But alternative routes bypass it:

POST /api/login
GET /v2/auth
POST /auth

These endpoints perform the same action without limits.

6. Using Different Content-Types

Rate limit applies only to:

Content-Type: application/json

But attackers use:

application/x-www-form-urlencoded
multipart/form-data
text/plain

Rate limiter fails to apply universally.

7. Header Manipulation to Bypass Filters

Some systems accidentally key rate limits on:

User-Agent
Referer
Origin
Language
Cookie

Attackers modify these values each request.

8. Cookie Reset or Token Rotation

If rate limit is tied to:

  • session ID

  • JWT token

  • cookie value

Attackers reset or generate new tokens on every request.

9. Distributed Attacks

Automation distributes requests across:

  • multiple devices

  • containers

  • cloud servers

Each node stays under the limit.

10. Using HTTP/2 Multiplexing

Some rate limiters count connections, not requests.

HTTP/2 allows multiple requests in a single connection → bypass.

11. Using WebSockets

If rate limits apply only to HTTP endpoints:

ws://api.example.com/auth

WebSocket authentication flows may avoid HTTP rate limiting.

12. CDN / Load Balancer Inconsistency

Some systems apply rate limits:

  • at CDN layer

  • but not at backend

  • or vice versa

Attackers target unprotected layer.

Practical Rate Limit Testing Workflow

Step 1: Identify Rate-Limited Actions

Test operations such as:

  • login

  • OTP request

  • password reset

  • registration

  • search

  • comment submission

  • file upload

Trigger them repeatedly.

Step 2: Detect Rate Limit Response

Typical responses:

429 Too Many Requests
Rate limit exceeded
Retry-After: 60

If no such response appears, rate limit may not exist.

Step 3: Attempt Bypass Techniques

Test:

  • changing IP

  • modifying headers

  • altering tokens

  • switching endpoints

  • switching HTTP method

Observe if rate limit resets or disappears.

Step 4: Burp Suite Intruder Testing

Use Intruder with:

  • cluster bomb

  • pitchfork

  • sniper

Check which payloads evade the limiter.

Step 5: Test Timing Thresholds

Attackers often test:

  • very fast bursts

  • slow, distributed requests

  • alternating intervals

Some rate limiters only measure per-second spikes.

Step 6: Check API Documentation or Hidden Endpoints

Developers often forget to apply checks to:

  • older versions

  • testing endpoints

  • mobile APIs

  • admin/backend APIs

These become weak points.

Step 7: Combine Techniques for Maximum Bypass

Example bypass chain:

  1. Modify IP through header

  2. Reset cookie value

  3. Switch between /login and /auth/login

  4. Use POST then GET

  5. Vary payload formatting

Each variation may evade one layer of rate limiting.

Advanced Rate Limit Bypass Scenarios

OTP / 2FA Bypass

Attackers spam OTP requests:

  • brute-force OTP codes

  • exhaust user’s SMS

  • disable account temporarily

If rate limits are poorly enforced, OTP brute-force becomes feasible.

Password Reset Token Brute Force

Reset tokens:

abcdef123456

Attackers attempt thousands of guesses if no rate limit applies.

Enumeration Attacks

Attackers enumerate:

  • usernames

  • emails

  • phone numbers

  • order IDs

  • invoice numbers

  • coupon codes

Rate limit bypass enables high-speed enumeration.

Denial of Wallet Abuse (Financial Apps)

Without limits, attackers:

  • claim unlimited coupons

  • generate unlimited referrals

  • spam transaction flows

This is a common business logic failure.

API Key Abuse

If an API uses per-key rate limits:

Attackers generate unlimited keys by creating disposable accounts.

Multi-Parameter Rate Limit Bypass

Some systems track limits by only one parameter:

IP + action

Attackers modify the “action” slightly:

/login
/login?step=1
/login?version=2
/login?flow=mobile

Each is treated as a different action, bypassing limits.

Why Rate Limit Bypass Happens

Root causes:

  • relying on weak identifiers (IP, headers)

  • implementing restrictions only on the frontend

  • inconsistent backend access control

  • lack of uniform enforcement across API versions

  • poor understanding of attacker behavior

  • improper trust in CDN or load balancer headers

  • assuming users won’t alter or automate requests

Rate limits must always be server-side, consistent, and hardened.

Impact of Rate Limit Bypass

Rate limit bypass enables:

  • brute-force attacks

  • denial-of-service

  • OTP brute forcing

  • credential stuffing

  • account takeover

  • spam, abuse, fraud

  • massive enumeration

  • resource exhaustion

  • financial loss

  • large-scale API abuse

Rate limit bypass can compromise both security and business operations.

Intel Dump

  • Rate limit bypass occurs when request throttling is implemented weakly or inconsistently.

  • Common bypasses include IP spoofing, header manipulation, alternate endpoints, method switching, token resets, and distributed attacks.

  • Testing uses Burp Suite, automation, and variation across headers, methods, and endpoints.

  • High-risk features include login, OTP, password reset, search, and financial actions.

  • Impact ranges from brute-force and enumeration to full account takeover and business logic exploitation.

HOME COMMUNITY CAREERS DASHBOARD