Bypassing Rate Limit Protection by spoofing originating IP

Arbaz Hussain
2 min readAug 30, 2017


Severity: Medium

Complexity: Easy

Weakness : Spoofing Originating IP

  • Most Application’s use X-Forwarded-For common method for identifying the originating IP address of the client.
  • We All know that using X-Forwarded-For: IP Header Can sometime’s Bypass Ratelimit Protection.
  • Sometimes Adding Two Times X-Forwarded-For: IP Header Instead of One time Can Bypass Ratelimit Protection
  • During testing one of the private hackerone target . They blocked my IP after 30–40 attempts because of fuzzing .
  • Following are the Test Cases i Tried to Bypass their Protection.
  1. They Blocked My IP

2. Trying Host Header Injection Way : (No Success)

3. Trying X-Forwarded-For to Spoof Originating IP : (No Success)

4. Trying with X-Forwarded-For: IP Header 2x times Instead of One time, Bypass Ratelimit Protection

  • I Asked Developer what make’s this behaviour , They SAID :




Arbaz Hussain