AppSecExplained

Index < START HERE
- My courses
- How to get started from zero
📽️Live Stream Content
- Resource of the week
Enumeration
- Methodology
  - DNS
    Zone transfers
- Content discovery / recon
Common vulns
Bypassing controls
- Rate limiting
- WAF Bypasses
Scripts
Code review
- Getting started
Links worth your time

Powered by GitBook

On this page

What is it?
Checklist

Was this helpful?

Bypassing controls

Rate limiting

What is it?

Rate limiting prevents us from sending large numbers of requests to a target. It can also be referred to as throttling.

A simple example:

An application has a login form
When a request is made to login, the IP is saved and a counter assigned
If more than 10 attempts are made within 1minute the IP is blocked

Checklist

Can we identify how the rate-limiting is being applied?
Can we spoof the a header that's being used
- X-Real-IP
- X-Forwarded-For
- X-Originating-IP
- Client-IP
- True-Client-IP
Can we use other user agents?
Can we use different cookies or session tokens?
Can we tamper with HTTP verbs
Can we decrease the frequency of requests and leave overnight?
Can we create legitimate-looking behaviour

PreviousAPI: BFLA NextWAF Bypasses

Last updated 8 months ago