Bypassing Rate Limit Protection by spoofing originating IP

Severity: Medium

Complexity: Easy

Weakness : Spoofing Originating IP

• Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client.
• We All know that using X-Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection.
• Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One time Can Bypass Ratelimit Protection
• During testing one of the private hackerone target . They blocked my IP after 30–40 attempts because of fuzzing .
• Following are the Test Cases i Tried to Bypass their Protection.

1. They Blocked My IP

2. Trying Host Header Injection Way : (No Success)

3. Trying X-Forwarded-For to Spoof Originating IP : (No Success)

4. Trying with X-Forwarded-For: IP Header 2x times Instead of One time, Bypass Ratelimit Protection

• I Asked Developer what make’s this behaviour , They SAID :

¯\_(ツ)_/¯