Summary :

In computer networks, rate limiting is used to control the rate of traffic sent or received by a network interface controller and is used to prevent DoS attacks.

Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. For example, let’s say you are using a particular service’s API that is configured to allow 100 requests/minute. If the number of requests you make exceeds that limit, then an error will be triggered

No rate limit means their is no mechanism to protect against the requests you made in a short frame of time. Say for example you have a forget password page and a victim’s email, now enter the victim’s email and intercept the request using burp suite (a proxy tool) and send that request to repeater or intruder for repeating it. If the repetition doesn’t give any error after 50, 100, 1000 repetitions then their will be no rate limit set.

Now the scope of this vulnerability is not limited only to forget password page you can also use it in comments, adding user (where you need to send an invite email), sending GIFs or messages, sending OTPs etc.

While searching for No Rate Limit I came across a comment section on yahoo.com where I was able to make 100–200 comments in less than 60 seconds and it was a GIF flood.

GIF flooding
GIF flooding

I found it on 4 different endpoints on yahoo.com and I was paid with good amount. All the endpoints have been fixed

How to attack using Intruder :

  1. Go to any endpoint where you can comment or you can send messages etc.
Burp Intruder

5. Now to payload section and you can simply add a payload file which contains various words or you can use “Add from list option”

6. Click on start attack

Attacking

7. Refresh the page and you’ll find the flood

Comment Flood

How to attack using Repeater :

  1. Send the request to repeater
Repeater

2. Click on go as many times as you want the comment to be posted

3. Refresh the page

Thank You :)

Instagram : jerry._.3

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store