Does this skill require special permissions?

Yes, rate limit testing involves sending high volumes of requests and should only be performed on systems where you have explicit, written authorization.

Which OWASP risk does this address?

This skill specifically addresses OWASP API4:2023 - Unrestricted Resource Consumption, which occurs when an API does not limit the number of requests or resource usage.

What is an API rate limit bypass test?

It is a security testing process that attempts to find ways to circumvent request throttling, ensuring that an API cannot be abused via brute-force or high-volume automated requests.

How does header spoofing work in this context?

The skill tests various HTTP headers like X-Forwarded-For and X-Real-IP to see if the API gateway incorrectly trusts client-provided headers to identify the source IP for rate limiting.

Can this skill be used in CI/CD pipelines?

Yes, it can be integrated into security testing workflows to ensure that new code deployments don't inadvertently introduce rate limiting bypasses.

API Rate Limit Bypass Testing

Name: API Rate Limit Bypass Testing
Author: mukul975

bymukul975

•

4,120

•

セキュリティとテスト

Tests and validates API rate limiting implementations by identifying bypass vulnerabilities through header manipulation, IP spoofing, and endpoint variations.

The API Rate Limit Bypass Testing skill is designed for security professionals and developers to rigorously assess the effectiveness of API throttling and resource consumption controls. It automates the identification of common vulnerabilities that allow attackers to circumvent rate limits, such as manipulating X-Forwarded-For headers, rotating IP addresses, varying URL paths, or switching HTTP methods. By simulating real-world evasion tactics, this skill helps teams harden their API gateways and WAFs against brute-force attacks, credential stuffing, and denial-of-service attempts, specifically addressing the OWASP API4:2023 Unrestricted Resource Consumption risk.

主な機能

01Automated rate limit threshold and header discovery

02Account-level identifier rotation testing

03IP-based bypass testing via X-Forwarded-For and spoofing headers

04URL path and API version variation discovery

05HTTP method and Content-Type switching analysis

064,120 GitHub stars

ユースケース

01Evaluating the effectiveness of WAF or API gateway throttling rules

02Testing authentication endpoints for brute-force and credential stuffing resilience

03Validating that rate limits are applied consistently across all API versions and methods

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-api-rate-limiting-bypass

For use in Claude.ai and ChatGPT

主な機能

01Automated rate limit threshold and header discovery

02Account-level identifier rotation testing

03IP-based bypass testing via X-Forwarded-For and spoofing headers

04URL path and API version variation discovery

05HTTP method and Content-Type switching analysis

064,120 GitHub stars

ユースケース

01Evaluating the effectiveness of WAF or API gateway throttling rules

02Testing authentication endpoints for brute-force and credential stuffing resilience

03Validating that rate limits are applied consistently across all API versions and methods

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-api-rate-limiting-bypass

For use in Claude.ai and ChatGPT