Hello guys
Today we’re going to talk about how you managed to bypass rate limiting
In one of the US Department of Defense sites
But I will explain in detail about this bug in another article and ways to overcome it in detail. Do not forget to review the rest of the articles that I submit on my account here on medium .

While touring one of the US Department of Defense websites, I found the feature to participate by entering my personal email to receive notifications about any update
I put my email and intercept request using burp suite
then i send request to repeater after many times click on go
I noticed this message
{“status”: “ERROR”, “message”: “es_rate_limit_notice”, “message_text”: “You need to wait for sometime before subscribing again”}

This means that there is a rate limit on this site
I put X-Real-IP:
then go if find this message
{“status”: “SUCCESS”, “message”: “es_optin_success_message”, “message_text”: “Your subscription was successful! Kindly check your mailbox and confirm your subscription. If you don’t see the email within a few minutes, check the spam \ / junk folder. “}

Note, not forget to change your email because if you subscribe and use the same email, the site will tell you that this email is already subscribed.

In poc 2 Same thought this article but I used
X-Forwarded-For: 195.623.23.45

poc 1

poc 2

all payload i have uploaded it in my github account not forget to follow me


happy hacking

Security Researcher | Bug Bounty Hunter