About Hey! I'm zseano and I run BugBountyNotes. I do bugbounties full time and I managed to reach the top 10 on bugcrowd in just 8months from one program. I am lucky to attend live events by HackerOne and this is what inspired me to create this! :) I specialise in webapp testing and I love helping others. Feel free to reach out

Rate Limits.. can we bypass them?

I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blocked from performing that action for x amount of time, or they are hit with captcha. In this tutorial we're going to go over some bypasses i've used in the past on bounty programs and places you can look.

Please read

Rate limits are often argued about bugs. Things like spamming is sometimes not considered a "security bug", so please use your head when looking and reporting these types of bugs. Some sites have more protection in place to prevent brute forcing on accounts, so always assess impact before testing & reporting any issues you find.

What should be protected..

First of all i'm going to outline common actions which should be protected by rate limiting, and places you can maybe score a bounty.

  1. Login

    The most obvious. If there is no rate limiting on login then you can easily brute force accounts with ease. However with that said, always check the policy of the program you are testing against to check their rules with this. Not all login forms require rate limiting so again, be wary when testing & reporting.

  2. 2Factor Login

    Even if you know someones login credentials, if 2FA is enabled chances are you won't get any further. Yay. Sometimes the 2FA text/email/call you receive will be a 4-6 digit number and if no rate limiting applies here, what can we do? You guessed it, brute the code. This is typically where most researchers score the "big bounties".

Common Bypasses

Depending on if any rate limiting protection is in place you can test the following to get a better understanding:

  1. Change cookie values and check for any chnages

  2. Use X-Forwarded-For:theirip or

  3. If authenticated, simply try logout & back in