Rate Limit Vulnerability in web Application.
A Rate Limit Algorithm is used to check if the user session has to be limited based on the information in the session cache.
In case a client made to many requests within a given timeframe, HTTP-server can response with status code 429: Too Many Requests
Let's try to check whether the website is vulnerable to Rate Limit
Go to the Login page and enter username and intercept the request in Burp Suite.
Go to the positions tab and add the password parameter to the position .
Go to the Payload tab and load the passwords list including the correct password in them.
Then start Attack, Burp Suite send continuous request to the website one after the other and shows the status code of the requests that we have made.
if the website is accepting requests after more than 20 wrong passwords then the website is vulnerable to Rate Limit.
See Video Below for POC