429 Too Many Requests
or 200 OK
with an error in the response body. However, an application may not change the HTTP code and response body, thus creating the appearance of a lack of rate limit. In some cases you can verify this behavior by entering a valid value, for instance, valid password or OTP, thus simulating the final result of bruteforce.X-Forwarded-For
header to the OTP check request:%00
, %09
, %0a
, %0c
, %20
, etc. For instance, if a bare endpoint is /api/v4/endpoint
, try the following endpoints:/api/v4/endpoint
/api/v4/Endpoint
/api/v4/EndPoint
/api/v4/endpoint%00
/api/v4/%0aendpoint
/api/v4/endpoint%09
/api/v4/%20endpoint
/api/v4/endpoint?some_param=1
%00
, %09
, %0a
, %0c
, %20
, etc. to params. For instance, if requesting a code to an email have only n tries, use [email protected]%00
after exceeding n attempts, then [email protected]%20
, and etc.