Bypassing IP Based Rate-Limit

Hello everyone, in this post I will briefly explain how to bypass this type of rate-limiting. Lets explain what this protection system is.

Let’s say you are trying to brute-forcing a login panel.

You are manually or automatically trying different usernames and password as usual. Normally every time the credentials are wrong the website should give you an error message like this.

But after couple of enumeration , website’s error message changed to this.

This is called “Rate-Limiting” and the way the system understands YOU made all these false attempts, is by your IP address forged into your request.

Let’s take a closer look to it.


The one on the left side is our request and the other one is site’s response to that request. Now since this protection depends on our IP address ,there should be a way to spoof it right? . Actually there is.

There is a HTTP header called “X-Forwarded-For” (XFF) which takes an IP address as value .This header basically tells the site that “Hey! this request actually comes from <value of XFF>”.

Now let’s try to send our request from a different IP address with help of XFF.

Now the website thinks this request comes from a different IP address.

Since that value of XFF will recognised by the website after some failed attempts , only thing left to continue our brute-force is automating this spoofing procedure.

We can solve this issue with Burp Suite’s Intruder tool.

In this example i will enumerate the XFF value and username to gather some info about correct username in order to find the password .

I have wordlist for username that contains 100 possible username.

Here is how I set those payload to the intruder.

For 100 username i need to create 100 IP address
Here is the wordlist for username enumeration

Let’s start the attack and see the result.

As I’ve mentioned above “Payload1” is value enumerated for XFF value ,

“Payload2” is our wordlist. All of these request are successfully maded.

I have selected a random request made form above and here is the result.

So Rate-Limit is no longer a problem to us. We can continue our attack.

Thank you for reading. I hope this was usefull.

I am currently a CSE student and a wannabe hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store