Understanding rate-limiting

Rate-limiting is important in order not to disrupt the applications of customers.

Inti avatar
Written by Inti
Updated over a week ago

Automated tools such as Nuclei, Burp Suite’s Intruder, Ffuf, etc., tend to send a very large number of requests per second. Some companies (running a bug bounty program) might demand that you rate-limit the requests going out to put less stress on the web server.

Watch this quick video on the importance of rate-limiting (or read the individual instructions below):

Rate-limit Nuclei:

Add the parameter -rate-limit to throttle your requests (e.g., -rate-limit 1 in order to send one request per second)

Rate-limit Burp Suite’s Intruder:

In the “Intruder” tab, go to “Resource Pool” and click on “Create new resource pool”. Set “Maximum concurrent requests” to 1 and “Delay between requests” to 1000 milliseconds.

Rate-limit Ffuf:

Add the parameter -rate to throttle your requests (e.g., -rate 1 in order to send one request per second)

For more information, read: https://github.com/ffuf/ffuf#usage

Rate-limit other tools:

If you are running other tools that send a large number of requests per second (e.g., brute-forcing tools), make sure to read the manual, README, or help page to find out how to apply rate-limiting.


Please always read the bug bounty brief carefully and check if the program needs you to rate-limit the number of requests you are allowed to send. Otherwise, you risk getting suspended!

Also, keep in mind that disrespecting rate-limits will give you a lower chance of receiving invites to private and new programs.

Did this answer your question?