No Rate Limit - 2K$ Bounty

3 min readJan 12, 2020

Summary :

In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent DoS attacks.

Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. For example, let’s say you are using a particular service’s API that is configured to allow 100 requests/minute. If the number of requests you make exceeds that limit, then an error will be triggered

No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. Say for example you have a forget password page and a victim’s email, now enter the victim’s email and intercept the request using burp suite (a proxy tool) and send that request to repeater or intruder for repeating it. If the repetition doesn’t give any error after 50, 100, 1000 repetitions then their will be no rate limit set.

Now the scope of this vulnerability is not limited only to forget password page you can also use it in comments, adding user (where you need to send an invite email), sending GIFs or messages, sending OTPs etc.

While searching for No Rate Limit I came across a comment section on yahoo.com where I was able to make 100–200 comments in less than 60 seconds and it was a GIF flood.