performing-api-rate-limiting-bypass
Installation
SKILL.md
Performing API Rate Limiting Bypass
When to Use
- Testing whether API rate limiting can be circumvented to enable brute force attacks on authentication endpoints
- Assessing the effectiveness of API throttling controls against credential stuffing or account enumeration
- Evaluating if rate limits are enforced consistently across all API versions, methods, and encoding formats
- Testing if API gateway rate limiting can be bypassed through header manipulation or IP rotation
- Validating that rate limits protect against resource exhaustion and denial-of-service conditions
Do not use without written authorization. Rate limit testing involves sending high volumes of requests that may impact service availability.
Prerequisites
- Written authorization specifying target endpoints and acceptable request volumes
- Python 3.10+ with
requests,aiohttp, andasynciolibraries - Burp Suite Professional with Turbo Intruder extension for high-speed testing
- cURL for manual header manipulation testing
- Knowledge of the target's CDN and WAF infrastructure (Cloudflare, AWS WAF, Akamai)
- List of rate-limit bypass headers to test