top of page


  • Writer's pictureSecure Cyber Future

Bypass Rate Limit

Hello Friends,

I want to share a simple vulnerability that I find most of the time when I do bug bounty.

For all beginners, I would suggest whenever you try to find bugs in the website; you must try rate limit vulnerability, which is easy to find & more comfortable.

What is rate limit?

A rate limiting algorithm is used to check if the user session (or IP-address) has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.


Let's start

Last Sunday I got an invite from a private program on bugcrowd, so I started looking for vulnerabilities.

As usual, I start with rate limit on login form or on a email verification endpoints.

But it was protected with rate limit :(

So decided to bypass it

We All know X-Forwarded-For: IP is commonly used to bypass rate limiting.

So I tried with X-Forwarded-For: IP but no luck :(

I put all of this payloads X-Originating-IP:, X-Forwarded-For:, X-Remote-IP:, X-Remote-Addr: still no luck:(

I got frustrated and typed random words in this payload X-Forwarded-For: asdfgd and boom It worked :)

Immediately created a POC and reported to the program.

After two days program rewarded me $300.

But the story doesn't end here after a 1-month program changed the vulnerability status to resolved.

So I thought let's see what they implemented in a fix, and lucky they were using IP-based blocking which can bypass by rotating proxies.

What is a rotating proxy?

A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection. That means you can launch a script to send 10,000 requests to any number of sites and get 10,000 different IP addresses.

I use AWS API Gateway with IP Rotate Burp Extension, It is easy to use & the main point is no coding required.

So one more time, I was able to bypass it and the program rewarded me $300 again.


  • If you don't have an AWS account, you can use - No Credit Card Required, but you may have to create a PHP code for this as it doesn't integrate with IP Rotate Burp Extension.

  • Always test the vulnerabilities which are patched.

Hope you liked it! ❤️


8,736 views0 comments


bottom of page