@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.

@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.



Tutorials Blog Posts Tools Contact Information



Rate Limits.. can we bypass them?

I don't think rate limits need an explanation, but for those scratching their head: Rate limits are designed to stop you from abusing a certain action/endpoint, for example logging in (brute forcing an account). When a rate limit occurs the user is sometimes either blocked from performing that action for x time, or they are hit with captcha.

In this tutorial we're going to go over some bypasses i've used in the past on bounty programs and places you can look.

Please read: Rate limits are often argued about bugs. Things like spamming is sometimes not considered a "security bug", so please use your head when looking and reporting these types of bugs.


First of all i'm going to outline common actions which should be protected by rate limiting, and places you can maybe score a bounty.

Methods to bypass

Rate limits are fun to find and even more fun to chain together to create something with a huge impact. Here are some methods I use to bypass rate limits:

Think before reporting

As explained a few times in this post, think before reporting. Rate limiting doesn't have to exist on EVERY action/endpoint, so make sure the rate limiting bypass you've found has an actual security impact. If you can brute force accounts, manipulate important data, harvest private data, or chain a few bugs to unleash mass spam across a site, then get it reported. (I've probably missed some common actions, so please use your head.

Happy hunting!