Bypassing Rate Limit Protection by spoofing originating IP
Weakness : Spoofing Originating IP
- Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client.
- We All know that using X-Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection.
- Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One time Can Bypass Ratelimit Protection
- During testing one of the private hackerone target . They blocked my IP after 30–40 attempts because of fuzzing .
- Following are the Test Cases i Tried to Bypass their Protection.
- They Blocked My IP
2. Trying Host Header Injection Way : (No Success)
3. Trying X-Forwarded-For to Spoof Originating IP : (No Success)
4. Trying with X-Forwarded-For: IP Header 2x times Instead of One time, Bypass Ratelimit Protection
- I Asked Developer what make’s this behaviour , They SAID :