No Rate Limit On Forget Password

Syed Munib Ahmed
3 min readMar 7, 2021


Improper authentication (No Rate Limit on Forget Password)


So, in this blog I’m going to show you the demonstration of No Rate Limit Attack. I was testing on a private website unfortunately, I can’t reveal the name but you will learn or easily understand about this attack.

First, we learn What is No Rate Limit?

Rate limiting is a strategy for limiting network traffic. A rate limiting algorithm is used to check if the user session has to be limited based on the information in the session cache.
In case a client made too many requests within a given timeframe, HTTP-Servers should respond with status code 429: Too Many Requests.

but in my case it showed the status code 200, which is usually indication of success.

Furthermore, No rate limit means there is no mechanism to prevent you from making a request in a short period of time. you know the victim email id and website’s forget password parameter is vulnerable now enter the victim’s email and intercept the request using burp suit which is use for proxy, you can use another tool if you want then send that request into intruder for repeating it. If you didn’t get any error after 50,100 or 1000 repetitions then their will be no rate limit set on forget password.

For example: if there is no limit to send the forget password request on a single email address, so you can send multiple request on same email address which is also called email bombing and user spamming and also You can check this in comments, adding user (where you can send the multiple invites email) , sending OTPs etc.

So, Lets start the Attack 😉

Step to Reproduce:

1) First, you have to Signup an account on the website and make sure that your account exists on the website.

2) Now go to the Forget password parameter, Add email address which is already exists on the website server.

3) Then open the Burp suite, intercept the forget password request and send to the intruder also click on clear.

4) Now select the email address and click on add.

5) Move into the payload section and you can add same email multiple time like 100 or 1000.

6) Now click on start attack.

7) Go to the email account and refresh it so that you can check the bunch of forget password request on you email account.

Hurray! As you can see I got 101 forget password email from this website.
I got $300 for this report 😊

No Rate Limit successfully done 😉

Thank you Guys, hope you enjoy it and understand this scenario.


Happy Hacking ^_^



Syed Munib Ahmed

I’m a website penetration tester and also work with hackerOne and bugcrowd, Website Security is my life ^_^