maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1095 from HackTricks-wiki/research_update_src_pentesting-web_rate-limit-bypass_20250711_012858

Browse Source 
Research Update Enhanced src/pentesting-web/rate-limit-bypas...
This commit is contained in:
SirBroccoli 2025-07-12 16:01:31 +02:00 committed by GitHub
commit ad720976e8
1 changed files with 68 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/pentesting-web/rate-limit-bypass.md
View File

@ -54,11 +54,74 @@ If the target system applies rate limits on a per-account or per-session basis,
Note that even if a rate limit is in place you should try to see if the response is different when the valid OTP is sent. In [**this post**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732), the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received.
### Tools
---
- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): hashtag-fuzz is a fuzzing tool designed to test and bypass WAFs and CDNs. By leveraging advanced features such as random User-Agent and header value, random delays, handle multi-threading, selective chunking of wordlists and Round Robin proxy rotation for each chunked, it offers a robust solution for security professionals aiming to identify vulnerabilities in web applications.
### Abusing HTTP/2 multiplexing & request pipelining (2023-2025)
Modern ratelimiter implementations frequently count **TCP connections** (or even individual HTTP/1.1 requests) instead of the *number of HTTP/2 streams* a connection contains. When the same TLS connection is reused, an attacker can open hundreds of parallel streams, each carrying a separate request, while the gateway only deducts *one* request from the quota.
```bash
# Send 100 POST requests in a single HTTP/2 connection with curl
seq 1 100 | xargs -I@ -P0 curl -k --http2-prior-knowledge -X POST \
-H "Content-Type: application/json" \
-d '{"code":"@"}' https://target/api/v2/verify &>/dev/null
```
If the limiter protects only `/verify` but not `/api/v2/verify`, you can also combine **path confusion** with HTTP/2 multiplexing for *extremely* high-speed OTP or credential brute-forcing.
> 🐾 **Tip:** PortSwiggers [Turbo Intruder](https://portswigger.net/research/turbo-intruder) supports HTTP/2 and lets you fine-tune `maxConcurrentConnections` and `requestsPerConnection` to automate this attack.
### GraphQL aliases & batched operations
GraphQL allows the client to send **several logically independent queries or mutations in a single request** by prefixing them with *aliases*. Because the server executes every alias but the rate-limiter often counts only *one* request, this is a reliable bypass for login or password-reset throttling.
```graphql
mutation bruteForceOTP {
a: verify(code:"111111") { token }
b: verify(code:"222222") { token }
c: verify(code:"333333") { token }
# … add up to dozens of aliases …
}
```
Look at the response: exactly one alias will return 200 OK when the correct code is hit, while the others are rate-limited.
The technique was popularised by PortSwiggers research on “GraphQL batching & aliases” in 2023 and has been responsible for many recent bug-bounty payouts.
### Abuse of *batch* or *bulk* REST endpoints
Some APIs expose helper endpoints such as `/v2/batch` or accept an **array of objects** in the request body. If the limiter is placed in front of the *legacy* endpoints only, wrapping multiple operations inside a single bulk request may completely sidestep the protection.
```json
[
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"123"}},
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"456"}}
]
```
### Timing the sliding-window
A classic token-bucket or leaky-bucket limiter *resets* on a fixed time boundary (for example, every minute). If the window is known (e.g. via error messages such as `X-RateLimit-Reset: 27`), fire the maximum allowed number of requests **just before** the bucket resets, then immediately fire another full burst.
```
|<-- 60 s window ->|<-- 60 s window ->|
###### ######
```
This simple optimisation can more than double your throughput without touching any other bypass technique.
---
## Tools
- [**https://github.com/Hashtag-AMIN/hashtag-fuzz**](https://github.com/Hashtag-AMIN/hashtag-fuzz): Fuzzing tool that supports header randomisation, chunked word-lists and round-robin proxy rotation.
- [**https://github.com/ustayready/fireprox**](https://github.com/ustayready/fireprox): Automatically creates disposable AWS API Gateway endpoints so every request originates from a different IP address perfect for defeating IP-based throttling.
- **Burp Suite IPRotate + extension**: Uses a pool of SOCKS/HTTP proxies (or AWS API Gateway) to rotate the source IP transparently during *Intruder* and *Turbo Intruder* attacks.
- **Turbo Intruder (BApp)**: High-performance attack engine supporting HTTP/2 multiplexing; tune `requestsPerConnection` to 100-1000 to collapse hundreds of requests into a single connection.
## References
- PortSwigger Research “Bypassing rate limits with GraphQL aliasing” (2023) <https://portswigger.net/research/graphql-authorization-bypass>
- PortSwigger Research “HTTP/2: The Sequel is Always Worse” (section *Connection-based throttling*) (2024) <https://portswigger.net/research/http2>
{{#include ../banners/hacktricks-training.md}}