Trick to bypass rate limit of password reset functionality

2 min readJul 12, 2021


Note: Since its a private program, I will call it

Server behavior
If you send many requests, the reset password will block you with response code => 429 and response message “Too many requests”.

Attempts in testing

1- Change the user-agent header’s value randomly in every request. [Failed]
2- Adding some headers like below: [Failed]
X-Forwarded-For :
X-Forwarded-Host :
X-Client-IP :
X-Remote-IP :
X-Remote-Addr :
X-Host :
3- Trying to add a null byte in the email’s request body (%00, %09, %0d, %0a) [Faield]
4- A lot of fuzzing such as add space, numbers, role:admin, and others but [Faield]
5- Adding a parameter in the path [sucess] bypassed !! [block] [bypass]

I can send more than 100 requests without taking a block.

Reproduce the issue step by step

  1. Go to this endpint
  2. Reset the password and capture the request with burp proxy
  3. Add a parameter in the endpoint of the request and send to intruder or send many requests manually =>

You will find out that you bypass the “Too many requests” prevention.

Thank you for reading
wait for the best.