BOOK THIS SPACE FOR AD
ARTICLE ADIntroduction
Rate limiting is a crucial security feature to prevent abuse by controlling the number of requests a user or system can make to a server within a certain timeframe. However, attackers have developed numerous techniques to bypass these limits and exploit the system.
In this article, we’ll cover all known methods that pentesters and bug hunters have used, including header manipulation, changing user-agent, and other advanced tricks.
Attackers can manipulate headers like X-Forwarded-For to trick the server into thinking requests come from different IPs. You can find a complete list of these headers at: Gist by Kaimi.
IP Spoofing2. Changing User-Agent
The User-Agent string identifies the type of client (browser, app, etc.) making the request. By altering this string, a user can make multiple requests appear as if they are coming from different sources, potentially bypassing server-imposed rate limits.
3. Using Capital Letters or URL Case Changes
Imagine you have a login page at the URL /login. The system enforces a rate limit to prevent brute force attacks by restricting the number of login attempts a user can make in a given time frame. For instance, after 5 failed attempts within a minute, further login attempts from the same IP or account may be blocked temporarily.
However, in some systems, the rate-limiting mechanism may rely on the exact string of the URL, including its casing. If the system does not normalize the case of the URL when applying the rate limit, it could treat /login and /logiN (with the capital “N”) as two distinct endpoints.
4. Parameter Manipulation
Adding unnecessary parameters to URLs (e.g., &random=value) can make the requests appear unique, bypassing rate limits.
Example: http://example.com/resource?id=123&random=987
5. Server-side HTTP Parameter Pollution (HPP)
When a server is vulnerable to HPP, it’s possible to send two username parameters with different values. The server might use one parameter to determine if the request should be blocked due to rate limiting, while the other parameter is used for the actual authentication process.
Example:
GET /login/otp?code=123&email=example2@mail.com&email=example@mail.com
6. Requesting New Session IDs After Expiry
In some authentication processes, the user starts a session by providing their email or phone number. The server returns a session ID and sends an OTP for verification. Often, the rate limiting for OTP attempts is tied to the session ID, while the endpoint to start new sessions lacks rate limiting. By requesting a fresh session ID each time the previous one expires or is blocked, attackers can bypass rate limits.
7. HTTP Method Switch (GET/POST/PUT/PATCH/HEAD/OPTIONS)
In certain situations, bypassing weakly configured WAFs or blacklists can be achieved by switching the HTTP request method. This involves transferring POST parameters to the URL as GET parameters, or the reverse. Additionally, experimenting with methods like PUT or PATCH may yield similar results.
8. Protocol Downgrading (HTTP/1.1, HTTP/2)
Some applications apply rate-limiting logic differently for HTTP/1.1 and HTTP/2, creating opportunities for attackers to exploit inconsistencies.
Track rate limits per HTTP connection: This is common with HTTP/1.1 because each request uses a separate connection, and rate limits may be enforced by counting the number of open connections.Track rate limits per request in HTTP/2: Since HTTP/2 multiplexes requests, a rate limit may focus on the total number of requests made through the connection, not on the connection itself.Bypassing Rate Limits with Protocol Downgrading
Scenario 1: Bypassing HTTP/2 rate limits by downgrading to HTTP/1.1, where rate limits may be less strict.Scenario 2: Exploiting HTTP/2 multiplexing to send multiple requests in parallel over a single connection, bypassing connection-based rate limits.9. The Route Alteration Strategy
Rate-limiting is often tied to particular endpoint routes, and altering the route slightly can sometimes bypass these limitations. By appending /. or /.. to the endpoint, the request might no longer match the rate-limiting rules, allowing for additional requests.
How it works:
Modification Technique: Append /. or /.. to the route.Normalization Confusion: The server may strip these changes during normalization. As a result, both /path and /path/.. could be treated as identical after the server processes them.10. Adding characters such as null bytes, carriage returns, or spaces.
In username-based rate limiting systems, it may be feasible to create inconsistencies between the code that processes login attempts and the code that enforces rate limiting by adding specific characters. For instance, appending characters like %00 to an email, such as example@email.com%00, could result in the login code interpreting it as example@email.com, while the rate-limiting logic might see it as a separate entry, allowing one to bypass the rate limit.
Experiment with adding or prepending characters such as %00, %20, %09, %0d, or %0a for similar effects.
Null byte11. Encoding
In username-based rate limiting systems, it’s possible to introduce a mismatch between the code that processes login credentials and the code responsible for enforcing rate limits by partially encoding the username, email, or phone number.
For instance, submitting e%78ample@em%61il.com may be interpreted as example@email.com by the authentication code, while the rate-limiting system could treat it as a distinct email address, thus bypassing rate limits.
Encoding12. Bypassing CDN-based Rate Limiting
Attackers can access the origin server directly, bypassing CDN protections like Cloudflare by targeting the server’s IP address.
Example: http://origin-ip-address/resource
13. IP Rotation
This technique involves rotating IP addresses to bypass rate limits that track requests based on IP addresses. Attackers can use VPNs, proxies, or TOR to change their IP after reaching the limit.
14. Referer Header Spoofing
In very rare cases, Rate Limit may be implemented on the Referer header.
Attackers can spoof the Referer header to bypass rate limits that rely on this header to verify the source of the requests.
15. Cookie Manipulation
Clearing or changing cookies may reset the rate-limiting counter, tricking the server into treating the request as new.
Conclusion
Rate limiting is an essential feature for protecting web applications and APIs from abuse. However, attackers have developed numerous techniques to bypass these defenses. The methods outlined above, ranging from simple IP rotation to more advanced techniques, demonstrate the importance of building robust, multi-layered security systems. By understanding these techniques, developers and security professionals can better anticipate how attackers may attempt to bypass rate limits and design more resilient systems.
Stay vigilant and secure your applications!
Find me on LinkedIn: Iliya Afifi