In this chapter, we’ll cover techniques for evading or bypassing common API security controls. Then we’ll apply these evasion techniques to test and bypass rate limiting.

When testing almost any API, you’ll encounter security controls that hinder your progress. These could be in the form of a WAF that scans your requests for common attacks, input validation that restricts the type of input you send, or a rate limit that restricts how many requests you can make.

Because REST APIs are stateless, API providers must find ways to effectively attribute the origin of requests, and they’ll use ...