Rate Limit Vulnerability

By | November 3, 2019

Rate Limit Vulnerability in web Application.

A Rate Limit Algorithm is used to check if the user session has to be limited based on the information in the session cache.

In case a client made to many requests within a given timeframe, HTTP-server can response with status code 429: Too Many Requests

Let's try to check whether the website is vulnerable to Rate Limit

Go to the Login page and enter username and intercept the request in Burp Suite.

Go to the positions tab and add the password parameter to the position .

Go to the Payload tab and load the passwords list including the correct password in them.

Then start Attack, Burp Suite send continuous request to the website one after the other and shows the status code of the requests that we have made.

if the website is accepting requests after more than 20 wrong passwords then the website is vulnerable to Rate Limit.

See Video Below for POC


Author: Ravi Sarode, founder of hackersdude.com I am an Ethical Hacker, Web Application Penetration Tester and Security Researcher

Leave a Reply

Your email address will not be published. Required fields are marked *