I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blocked from performing that action for
x amount of time, or they are hit with captcha. In this tutorial we're going to go over some bypasses i've used in the past on bounty programs and places you can look.
Rate limits are often argued about bugs. Things like spamming is sometimes not considered a "security bug", so please use your head when looking and reporting these types of bugs. Some sites have more protection in place to prevent brute forcing on accounts, so always assess impact before testing & reporting any issues you find.
What should be protected..
First of all i'm going to outline common actions which should be protected by rate limiting, and places you can maybe score a bounty.
The most obvious. If there is no rate limiting on login then you can easily brute force accounts with ease. However with that said, always check the policy of the program you are testing against to check their rules with this. Not all login forms require rate limiting so again, be wary when testing & reporting.
Even if you know someones login credentials, if 2FA is enabled chances are you won't get any further. Yay. Sometimes the 2FA text/email/call you receive will be a 4-6 digit number and if no rate limiting applies here, what can we do? You guessed it, brute the code. This is typically where most researchers score the "big bounties".
Depending on if any rate limiting protection is in place you can test the following to get a better understanding:
Change cookie values and check for any chnages
Use X-Forwarded-For:theirip or 127.0.0.1
If authenticated, simply try logout & back in