Skip to main content
All CollectionsResearchersGetting started
Understanding rate-limiting
Understanding rate-limiting

Rate-limiting is important in order not to disrupt the applications of customers.

Inti avatar
Written by Inti
Updated over 11 months ago

Automated tools such as Nuclei, Burp Suite’s Intruder, Ffuf, etc., tend to send a very large number of requests per second. Some companies (running a bug bounty program) might demand that you rate-limit the requests going out to put less stress on the web server.

Watch this quick video on the importance of rate-limiting (or read the individual instructions below):

Rate-limit Nuclei:

Add the parameter -rate-limit to throttle your requests (e.g., -rate-limit 1 in order to send one request per second)

For more information, read: https://nuclei.projectdiscovery.io/nuclei/get-started/#rate-limits

Rate-limit Burp Suite’s Intruder:

In the “Intruder” tab, go to “Resource Pool” and click on “Create new resource pool”. Set “Maximum concurrent requests” to 1 and “Delay between requests” to 1000 milliseconds.

For more information, read: https://portswigger.net/burp/documentation/desktop/tools/intruder/intruder-resource-pool

Rate-limit Ffuf:

Add the parameter -rate to throttle your requests (e.g., -rate 1 in order to send one request per second)

For more information, read: https://github.com/ffuf/ffuf#usage

Rate-limit other tools:

If you are running other tools that send a large number of requests per second (e.g., brute-forcing tools), make sure to read the manual, README, or help page to find out how to apply rate-limiting.

Please always read the bug bounty brief carefully and check if the program needs you to rate-limit the number of requests you are allowed to send. Otherwise, you risk getting suspended!

Also, keep in mind that disrespecting rate-limits will give you a lower chance of receiving invites to private and new programs.

Did this answer your question?