# HTTP Rate limiting

## What is it?

Rate limiting prevents us from sending large numbers of requests to a target. It can also be referred to as throttling.

A simple example:

* An application has a login form
* When a request is made to login, the IP is saved and a counter assigned
* If more than 10 attempts are made within 1minute the IP is blocked

### Checklist

* [ ] Can we identify how the rate-limiting is being applied?
* [ ] Can we spoof the a header that's being used
  * [ ] `X-Real-IP`
  * [ ] `X-Forwarded-For`
  * [ ] `X-Originating-IP`
  * [ ] `Client-IP`
  * [ ] `True-Client-IP`
* [ ] Can we use other user agents?
* [ ] Can we use different cookies or session tokens?
* [ ] Can we tamper with HTTP verbs
* [ ] Can we decrease the frequency of requests and leave overnight?
* [ ] Can we create legitimate-looking behaviour

## HTTP Rate Limit Bypass <a href="#http-rate-limit-bypass" id="http-rate-limit-bypass"></a>

The 429 “Too Many Requests” response in HTTP header occurs when the client has sent too many requests in a given amount of time (rate limiting). That is because the server limits the number of requests. However, we may be able to bypass this restriction.

### Bypass <a href="#bypass" id="bypass"></a>

We may be able to bypass the rate limiting by adding one of the following headers and change the IP per request.\
Sometimes, we need to add multiple headers.

```shellscript
X-Forwarded: <IP>
X-Forwarded-For: <IP>
X-Forwarded-Host: <IP>
X-Client-IP: <IP>
X-Remote-IP: <IP>
X-Remote-Addr: <IP>
X-Host: <IP>
X-Originating-IP: <IP>
```

### References <a href="#references" id="references"></a>

* [InfoSec Writeups](https://infosecwriteups.com/bypassing-rate-limit-like-a-pro-5f3e40250d3c)