Bypassing Rate Limit Protection by spoofing originating IP

Arbaz Hussain
Aug 30, 2017 · 2 min read

Severity: Medium

Complexity: Easy

Weakness : Spoofing Originating IP


  • Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client.
  • We All know that using X-Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection.
  • Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One time Can Bypass Ratelimit Protection
  • During testing one of the private hackerone target . They blocked my IP after 30–40 attempts because of fuzzing .
  • Following are the Test Cases i Tried to Bypass their Protection.

  1. They Blocked My IP

2. Trying Host Header Injection Way : (No Success)

3. Trying X-Forwarded-For to Spoof Originating IP : (No Success)

4. Trying with X-Forwarded-For: IP Header 2x times Instead of One time, Bypass Ratelimit Protection


  • I Asked Developer what make’s this behaviour , They SAID :

¯\_(ツ)_/¯

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store