creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-api-rate-limiting-bypass/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

58 lines
2.2 KiB
Markdown
Raw Blame History

# API Rate Limiting Bypass — API Reference
## Libraries
| Library | Install | Purpose |
|---------|---------|---------|
| requests | `pip install requests` | HTTP request sending with custom headers |
## Rate Limit Response Headers
| Header | Description |
|--------|-------------|
| `X-RateLimit-Limit` | Maximum requests per window |
| `X-RateLimit-Remaining` | Requests remaining in window |
| `X-RateLimit-Reset` | Timestamp when limit resets |
| `Retry-After` | Seconds to wait before retrying |
| `RateLimit-Policy` | IETF draft rate limit policy |
## IP Spoofing Bypass Headers
| Header | Description |
|--------|-------------|
| `X-Forwarded-For` | Standard proxy forwarding header |
| `X-Real-IP` | NGINX real client IP |
| `X-Originating-IP` | Client originating IP |
| `X-Client-IP` | Client IP identifier |
| `True-Client-IP` | Akamai/CDN client IP |
| `CF-Connecting-IP` | Cloudflare client IP |
| `Forwarded` | RFC 7239 forwarded header |
## Bypass Techniques
| Technique | Description | Severity |
|-----------|-------------|----------|
| Header IP rotation | Rotate X-Forwarded-For per request | HIGH |
| HTTP method switching | GET rate-limited but POST is not | MEDIUM |
| Path variation | `/api/users` vs `/api/users/` | MEDIUM |
| Case variation | `/API/Users` vs `/api/users` | MEDIUM |
| URL encoding | `%2Fapi%2Fusers` instead of `/api/users` | MEDIUM |
| Null byte injection | Append `%00` to URL path | HIGH |
| API version switching | `/v1/users` vs `/v2/users` | MEDIUM |
| Parameter pollution | Duplicate query parameters | MEDIUM |
## OWASP API4:2023 — Unrestricted Resource Consumption
| Risk | Description |
|------|-------------|
| Missing rate limits | No throttling on sensitive endpoints |
| Per-IP only limits | Bypassed with header spoofing |
| No auth-based limiting | Rate limit tied to IP, not user |
| Inconsistent enforcement | Different limits per method/version |
## External References
- [OWASP API Security Top 10](https://owasp.org/API-Security/)
- [IETF RateLimit Header Fields](https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/)
- [HackTricks Rate Limit Bypass](https://book.hacktricks.xyz/pentesting-web/rate-limit-bypass)
Reference in New Issue View Git Blame Copy Permalink