In the world of web apps, rate limiting stands as a crucial safeguard, often underappreciated until it's compromised. This blog post sheds light into the world of rate limiting, exploring the ways how rate limits are bypassed to perform malicious actions.

A rate limit bypass happens when someone finds a way to make more requests than they're supposed to, potentially causing problems for the website or other users.

Rate limiting is important because it:

  • Prevents servers from getting overwhelmed
  • Protects against certain types of attacks like brute force, flooding attacks
  • Ensures fair usage for all users

Imagine you're at a popular ice cream shop. To keep things fair, they have a rule: each person can only buy three scoops per visit. That's basically what rate limiting does for websites. It says, "Hey, you can only make these many requests in this amount of time."

Now, picture someone at the ice cream shop who really wants more than three scoops. They might try to sneak back in line wearing a different hat, hoping the server won't recognize them. That's essentially what a rate limit bypass is in the digital world.

Why Should We Care About Rate Limits?

Rate limit bypasses can cause problems like:

  • Unfair advantage for some users
  • Increased costs for website owners
  • Potential for abuse in things like ticket-buying bots
  • In worst cases, it could lead to the website becoming unavailable
  • Brute-Forcing the password for account takeovers

Possible Rate Limit Bypasses

· IP Switching: Like changing hats in our ice cream example, some might try to use different IP addresses to appear as different users.

· Header Manipulation: Websites often use information in request headers to identify users. Changing these headers might trick the system.

· Timing Attacks: Carefully timing requests to exploit how the rate limit is calculated.

Now, let's talk about a rate limit bypass that I came across for performing email flooding:

I initially tried performing the rate limit bypass using the methods mentioned above but nothing worked.

None

I then tried other things like using %00 & changing the request method but what worked for me was a very simple trick — adding a slash / at the end of the URL. Yes, it was that simple to bypass the rate limit in this scenario.

So, after trying to perform rate limiting attack on https://redacted.com/v1/dashboard-user/invite and receiving a 429 error, all I did was change the URL to https://redacted.com/v1/dashboard-user/invite/ and it bypassed the rate limit in place.

For more details on rate limiting, please visit resources like:

https://owasp.org/API-Security/editions/2019/en/0xa4-lack-of-resources-and-rate-limiting/

https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/

https://hackerone.com/reports/165727

None