HTTP Rate limiting

What is it?

Rate limiting prevents us from sending large numbers of requests to a target. It can also be referred to as throttling.

A simple example:

• An application has a login form

• When a request is made to login, the IP is saved and a counter assigned

• If more than 10 attempts are made within 1minute the IP is blocked

Checklist

• Can we identify how the rate-limiting is being applied?

• Can we spoof the a header that's being used

  • X-Real-IP

  • X-Forwarded-For

  • X-Originating-IP

  • Client-IP

  • True-Client-IP

• Can we use other user agents?

• Can we use different cookies or session tokens?

• Can we tamper with HTTP verbs

• Can we decrease the frequency of requests and leave overnight?

• Can we create legitimate-looking behaviour

HTTP Rate Limit Bypass

The 429 “Too Many Requests” response in HTTP header occurs when the client has sent too many requests in a given amount of time (rate limiting). That is because the server limits the number of requests. However, we may be able to bypass this restriction.

Bypass

We may be able to bypass the rate limiting by adding one of the following headers and change the IP per request. Sometimes, we need to add multiple headers.

X-Forwarded: <IP>
X-Forwarded-For: <IP>
X-Forwarded-Host: <IP>
X-Client-IP: <IP>
X-Remote-IP: <IP>
X-Remote-Addr: <IP>
X-Host: <IP>
X-Originating-IP: <IP>

References

• InfoSec Writeups