Automated tools such as Nuclei, Burp Suite’s Intruder, Ffuf, etc. tend to send a very large number of requests per second. Some companies (running a bug bounty program) might demand that you are rate-limiting the requests going out to put less stress on the web server.
Watch this quick video on the importance of rate-limiting (or read the individual instructions below):
Add the parameter -rate-limit to throttle your requests (e.g. -rate-limit 1 in order to send one request per second)
For more information read: https://nuclei.projectdiscovery.io/nuclei/get-started/#rate-limits
Rate-limit Burp Suite’s Intruder:
In the “Intruder” tab, go to “Resource Pool” and click on “Create new resource pool”. Set “Maximum concurrent requests” to 1 and “Delay between requests” to 1000 milliseconds.
For more information read: https://portswigger.net/burp/documentation/desktop/tools/intruder/intruder-resource-pool
Add the parameter -rate to throttle your requests (e.g. -rate 1 in order to send one request per second)
For more information read: https://github.com/ffuf/ffuf#usage
Rate-limit other tools:
If you are running other tools that send a big number of requests per second (e.g., brute-forcing tools), make sure to read the manual, README, or help page to find out how to apply rate-limiting.
Please always read the bug bounty brief carefully and check if the program needs you to rate-limit the number of requests you are allowed to send. Otherwise, you risk getting suspended!
Also, keep in mind that disrespecting rate-limits will give you less chance of receiving invites to private and new programs.