Bypassing Rate Limit Protection by spoofing originating IP


Severity: Medium

Complexity: Easy

Weakness : Spoofing Originating IP


  • Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client.
  • We All know that using X-Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection.
  • Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One time Can Bypass Ratelimit Protection
  • During testing one of the private hackerone target . They blocked my IP after 30–40 attempts because of fuzzing .
  • Following are the Test Cases i Tried to Bypass their Protection.

  1. They Blocked My IP

2. Trying Host Header Injection Way : (No Success)

3. Trying X-Forwarded-For to Spoof Originating IP : (No Success)

4. Trying with X-Forwarded-For: IP Header 2x times Instead of One time, Bypass Ratelimit Protection


  • I Asked Developer what make’s this behaviour , They SAID :

¯\_(ツ)_/¯

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.