Rate Limit Bug/Vulnerability


Welcome back, today we are going to talk about brute force attack or bug, brute attack or rate limit attack is a bug of the p4 category, sometimes it is kept in the p3 category, and it depends what is its impact. So today we are going to talk about that how we can find rate limit bugs or vulnerability.

Rate limit vulnerability, we can find the username, password fund, these bugs normally happen on the login page and signup page, for example, we have to enter login page user email and password, then we can request it by entering any random user email and password You can check multiple passwords by catching them with any intercepting tool. Let’s see an example.


For example, I have sucked hackerone.com this is my login page on which we will test the rate limit bug. I have a URL https://hackerone.com/users/sign_in and in this URL we have two input parameters first one is email and the second is password

so now let’s fill in the email and wrong password after that catch the request in Burpsuite

now right-click on the screen and send it an intruder and only one password parameter

like this, after that go to the payload option and choose password list you can generate your own password or you can download the password file from google or GitHub. Now it’s time to start the attack

In this picture, you have got 429 error show that means this rate limit is not available if this status code is only 200 then it means we have got a rate limit bug.

Leave a Reply