Rate Limiting and its bypassing

Gupta Bless
5 min readOct 9, 2021
Photo by Vishnu R Nair on Unsplash


Whenever you are browsing a website and sending repeated requests within a short span of time, the website may stop responding or ask you to fill a captcha in order to move forward. This is known as “Rate Limiting” . It means the website is limiting the rate of the requests sent by you or your browser. This can be done for a lot of things such as protecting the application resources, and giving users a good response time on the website. Let us discuss further.

What is rate limiting?


“Rate limiting” is a method that can help to limit the consecutive request on the server. If server admin implemented the rate limiting on server, the attacker cannot misused server easily like attacker might be trying to do the DOS on the server, since a large number of consecutive requests in a short span of time is no accepted on the server, it will protect is from brute forcing and from the DOS as well.

There are many endpoints or functionality where the rate-limiting feature must be implemented like login, signup, forgot password, 2-factor authentication and wherever it is required such as on applying the coupon codes etc.

Example: let suppose the application is performing the authentication based on the OTP that is being sent to the user. The OTP is of 4 digits if there is not rate limiting implemented on that particular endpoint attacker can easily bruteforce the OTP and can login into the victims account.

Uses of Rate limiting:

  1. Reduces load on server so increase the performance of server.
  2. Eliminate the probability of brute force attack.
  3. Reduces the probability of DOS attack on server.

Why do they occur?

  • Every application has login functionality and if the admin has not implemented rate limiting on that particular endpoint attacker can use the…
Gupta Bless

Security enthusiast working to secure web for others.