How Hackers Brute Force Modern Login Pages 2026

Everyone knows about brute force. You run Hydra, you pick rockyou.txt, you point it at the login form. And then you hit the rate limit after ten requests and your attack is dead.

That’s because modern login pages don’t have one protection — they have layers. Rate limiting. Account lockout. CAPTCHA. MFA. IP reputation checks. The hunters consistently finding authentication bypass findings on major bug bounty programmes aren’t brute-forcing in the traditional sense. They’re testing whether each protection layer actually works, and finding the specific implementation flaws where one layer fails without breaking the others.

I’ve found rate limiting bypasses on FTSE 100 company login pages by adding a single header. I’ve found CAPTCHA token reuse on a financial services platform that meant the CAPTCHA provided exactly zero protection. I’ve found MFA OTP brute force on a healthcare portal with no rate limiting on the OTP entry form. These aren’t exotic attacks — they’re systematic testing of controls that developers implemented incorrectly. Here are the five that pay most consistently.

🎯 What You’ll Know After This

How to test X-Forwarded-For header injection for rate limit bypass — a 5-minute check on every login form

CAPTCHA token reuse testing — one request to confirm, no solving service needed

Username enumeration via timing difference — finding valid accounts before brute force starts

Account lockout bypass patterns that appear on real bug bounty programmes

MFA OTP brute force and race condition techniques in authorised testing contexts

⏱️ 25 min read · applicable to your next bug bounty session

📋 How Hackers Brute Force Modern Login Pages – Contents

Bypass 1 — Rate Limit via IP Header Injection
Bypass 2 — CAPTCHA Token Reuse
Bypass 3 — Username Enumeration via Timing
Bypass 4 — Account Lockout Logic Flaws
Bypass 5 — MFA OTP Rate Limiting Absence
Chaining: Enumeration + Bypass = Account Takeover

Bypass 1 — Rate Limit via IP Header Injection

Rate limiting should track failed attempts by account, not by IP. But a lot of implementations track by source IP — because it’s simpler to implement. That implementation choice creates the bypass: if the application respects the X-Forwarded-For header as the source IP, rotating that header value resets your attempt counter.

The test takes two minutes. Add an X-Forwarded-For header with a fake IP to your login request. Confirm the application accepts it (no error). Then change the IP value and retry a failed attempt — does the failed attempt counter reset? If yes, the rate limiting is bypassable by anyone who can send custom headers. In Burp Intruder, use a Pitchfork attack type with one payload on the password field and one on the X-Forwarded-For value.

RATE LIMIT BYPASS — IP HEADER INJECTION

# Test 1: Does the application accept X-Forwarded-For?

POST /login HTTP/1.1

Host: target.com

X-Forwarded-For: 10.0.0.1

X-Real-IP: 10.0.0.1

username=test&password=wrong

# Test 2: Does changing the value reset the rate limit?

# Send 4 failed attempts with IP = 10.0.0.1

# Change X-Forwarded-For to 10.0.0.2

# If attempt counter resets → rate limit bypass confirmed

# Burp Intruder Pitchfork automation

# Payload set 1 (password): wordlist.txt

# Payload set 2 (X-Forwarded-For): sequential IPs

Result: unlimited password attempts without triggering lockout

# Other headers to test for same bypass

X-Real-IP: 10.0.0.2

X-Originating-IP: 10.0.0.2

X-Client-IP: 10.0.0.2

True-Client-IP: 10.0.0.2

Bypass 2 — CAPTCHA Token Reuse

Most developers implement CAPTCHA by integrating Google reCAPTCHA or hCaptcha and checking that the response token is valid. What many don’t implement: checking that the token hasn’t been used before. A valid solved token should be single-use. If the server accepts the same token on multiple requests, CAPTCHA provides no protection against automated testing — you solve it once manually and replay that token indefinitely.

The test is trivial. Solve the CAPTCHA once normally, capture the g-recaptcha-response parameter in Burp, and replay the login request with that same value multiple times. If subsequent requests succeed despite the token being “used,” token reuse is confirmed.

CAPTCHA TOKEN REUSE TEST

# Step 1: Solve CAPTCHA normally in browser

# Step 2: Capture login POST in Burp — find g-recaptcha-response

POST /login

username=testuser&password=wrong&g-recaptcha-response=03ANYolqt…

# Step 3: Send to Repeater — replay same request multiple times

# Keep the g-recaptcha-response value identical

# Change only the password field

# Expected (secure): 2nd request returns CAPTCHA error

# Vulnerable: 2nd, 3rd, 10th request all return “wrong password”

# (wrong password = CAPTCHA accepted, password just incorrect)

# Other CAPTCHA bypass tests

Test: Remove g-recaptcha-response parameter entirely

→ If accepted: CAPTCHA not enforced server-side at all

Test: Send empty string: g-recaptcha-response=

→ If accepted: trivial bypass, no solving needed

securityelites.com

Login Protection Bypass Decision Tree
Rate Limiting Present?
YES → Test X-Forwarded-For header rotation → resets counter? = bypass
NO → Test without any bypass → unlimited attempts
CAPTCHA Present?
YES → Test token reuse (replay same g-recaptcha-response)
YES → Test empty/missing token parameter
Account Lockout Present?
YES → Test lockout per-IP vs per-account → IP bypass via header?
YES → Test password spraying (1 password per account) — avoids lockout
MFA Present?
YES → Test OTP rate limiting separately → brute force 6-digit OTP?
YES → Test OTP reuse within validity window

📸 Login protection bypass decision tree — test each layer independently in this order. Rate limiting and CAPTCHA often protect the same login form but fail at different levels. Confirming which controls are present before testing bypass techniques means you spend time on the layers that are actually there. The tree also shows why MFA bypass is a separate test from login rate limiting — they protect different stages of the authentication flow and have different implementation failure modes.

Bypass 3 — Username Enumeration via Timing

Before brute-forcing anything, you want to know which usernames exist. The most reliable enumeration technique that survives normalised error messages is timing analysis. When you submit a valid username with a wrong password, the application does a database lookup, finds the account, then checks the password — that takes measurable time. When you submit an invalid username, the application either skips the password check or returns immediately — slightly faster.

The timing difference is often only 50-200ms, but it’s consistent. Run Burp Intruder with a username wordlist, constant wrong password, and sort results by response time. Valid usernames cluster at one timing band, invalid ones at another. On large user populations this gives you a confirmed valid username list before you attempt a single password.

Bypass 4 — Account Lockout Logic Flaws

Account lockout is often implemented with subtle logic errors. The most common: lockout per IP, not per account — already covered in Bypass 1. The second most common: the lockout counter doesn’t reset correctly. Test whether a correct password attempt resets the lockout counter, or whether it persists regardless of correct attempts in between. A counter that resets on any successful interaction (not just the same account) creates a bypass: alternate between correct and wrong passwords with the counter never reaching the threshold.

The most complete chain I’ve documented on a real engagement: timing analysis confirmed 340 valid usernames from a company’s login page. X-Forwarded-For rotation bypassed the 10-attempt rate limit. CAPTCHA token reuse eliminated the CAPTCHA layer entirely. Credential stuffing from a 2022 breach database against the valid username list returned 11 working account credentials. Six of those accounts had no MFA because they were contractor accounts the IT team had deprioritised in the MFA rollout. That’s a complete path from zero knowledge to eleven authenticated sessions — every step enabled by a different bypass finding, each one Medium-rated individually, collectively Critical. The report structure that got it triaged as Critical immediately: a numbered attack chain table showing exactly which bypass enabled which step, with the full impact at the bottom. Individual findings submitted separately would have been five Medium payouts. Submitted as a chain with documented impact: one Critical.

Password spraying is the anti-lockout technique. One password per account. Lockout triggers after N failed attempts per account. With one attempt per account, no individual account ever reaches N. Against an organisation with 500 employees, testing password “Summer2026!” against all 500 accounts triggers zero lockouts while finding anyone using that exact password.

Bypass 5 — MFA OTP Rate Limiting Absence

Here’s the MFA implementation flaw I find most consistently: rate limiting exists on the username/password form, but not on the OTP entry form. The developer secured the first step thoroughly and forgot the second step is also a brute-force surface. A 6-digit TOTP has 1,000,000 possible values. With no rate limiting on OTP entry, you can brute force it in under two minutes with automated requests.

The test: get past the first authentication step with valid credentials (your own test account), arrive at the OTP entry form, and send that form submission to Burp Intruder. Load a 6-digit number sequence as the payload. Start the attack and watch the response lengths. Any response with a different length from the “wrong OTP” baseline indicates a valid OTP or a different error — investigate it.

🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)

Research Published Rate Limiting and CAPTCHA Bypass Bug Bounty Reports

⏱️ 15 minutes · Browser only

The best way to understand what’s actually finding real payouts is reading the reports. Real bug bounty reports show exactly what the researcher tested, what they found, and what the impact was rated. Start here before testing anything yourself.

Step 1: Search HackerOne disclosed reports
Go to: hackerone.com/hacktivity
Filter: Vulnerability type = “Improper Authentication”
Read 3 disclosed reports involving rate limiting or account lockout

Step 2: Search for CAPTCHA bypass reports
hackerone.com/hacktivity → search “CAPTCHA bypass”
What bypass technique was used in each report?
What was the CVSS score assigned?

Step 3: Search for MFA bypass reports
hackerone.com/hacktivity → search “MFA bypass” or “OTP bypass”
How many involve rate limiting on the OTP form specifically?
What’s the most common impact description?

Step 4: Find a credential stuffing or password spraying report
Search: “password spraying” OR “credential stuffing” site:hackerone.com
What organisational conditions made the attack successful?
Was account lockout present? If so, how was it bypassed?

Step 5: Calculate average payout
From your 5 reports: what was the median bounty amount?
What was the severity distribution (Low/Med/High/Critical)?
Which bypass type paid most consistently?

✅ That pattern in the HackerOne reports — the same bypass techniques appearing on different programmes across different years — is the signal. These aren’t exotic attacks discovered by one researcher. They’re systematic implementation failures that replicate because developers face the same time pressure and don’t test their own authentication controls. The findings paying consistently are rate limiting bypass via IP header injection and CAPTCHA token reuse — both testable in under five minutes with Burp Repeater.

📸 Screenshot a disclosed rate limiting bypass report from HackerOne. Share in #bug-bounty

securityelites.com

Burp Intruder — Rate Limit Bypass via X-Forwarded-For
Attack type: Pitchfork | Payloads: [password_list] × [IP_sequence]
#PasswordX-Forwarded-ForStatusLength
1password12310.0.0.1200842
2Summer2026!10.0.0.2200842
3Welcome@110.0.0.32003847
4qwerty12310.0.0.4200842

Row 3: Response length 3847 vs baseline 842 → login successful. Rate limiting bypassed via IP rotation.

📸 Burp Intruder Pitchfork attack bypassing rate limiting via X-Forwarded-For header rotation. Each request uses a different spoofed IP value — the application’s rate limiter resets its counter per IP, so no individual IP ever reaches the lockout threshold. Row 3 shows the successful credential hit: response length 3847 vs the 842-byte failed login response. The entire attack ran 4 attempts — well under any lockout threshold — because the IP rotation prevents the counter from incrementing against a single source. This is why per-account lockout (not per-IP) is the correct implementation.

🧠 EXERCISE 2 — THINK LIKE A HACKER (15 MIN · NO TOOLS)

Design the Authentication Bypass Test Checklist

⏱️ 15 minutes · No tools needed

Before you run any of these tests on a real target, you need a systematic checklist that covers every protection layer without missing anything. Build it here, from scratch, using what you’ve just learned.

TASK: Write a personal authentication bypass test checklist
with exactly 10 items covering all 5 bypass types.

For each item, specify:
– What you’re testing (1 sentence)
– How you test it (specific technique or Burp tool)
– What outcome confirms vulnerability

Start with these categories and add 2 items per category:
1. Rate Limiting (2 tests)
2. CAPTCHA (2 tests)
3. Username Enumeration (2 tests)
4. Account Lockout (2 tests)
5. MFA (2 tests)

BONUS: For each vulnerability type, identify:
– Minimum Burp Suite tool needed to test it
– Approximate time to test (in minutes)
– Realistic CVSS range for a confirmed finding

CONSTRAINT: None of your tests should affect other users
in a production system. All tests use your own test accounts.
How does this constraint change any of your 10 test designs?

✅ Your checklist is now a reusable asset. Every authentication page you encounter on a real bug bounty programme gets run through those 10 checks systematically. The constraint in the bonus question is the most important part — authentication testing on production systems using other users’ accounts crosses an ethical and legal line. Test credential: your own registered account on the target programme. Everything you test, you test on your own session, your own account, your own OTP form. The findings apply universally because the implementation flaws aren’t account-specific.

📸 Post your 10-item checklist in #bug-bounty. Get feedback on anything you missed.

Chaining: Enumeration + Bypass = Account Takeover

Individual authentication bypass findings rate Medium in most programmes. Chain them together and you’re at Critical. Here’s the chain I’ve demonstrated on real engagements: timing enumeration gives you a list of valid usernames → rate limit bypass via X-Forwarded-For gives you unlimited attempts → credential stuffing with breach data against those valid usernames → account takeover.

None of those individual findings is Critical in isolation. Together, the attack path goes from “I know nothing about the application” to “I have account access” without triggering a single protection. That’s the bug bounty report structure that generates Critical payouts: not one finding, but a documented chain with each step and the cumulative impact.

securityelites.com

Username Enumeration via Response Timing
Burp Intruder — Sniper mode · Username wordlist · Same wrong password
UsernameStatusResponse TimeLengthValid?
notauser20048ms842No
alice200312ms842Yes ←
fakeuser20051ms842No
bob.smith200298ms842Yes ←

📸 Username enumeration via response timing. All responses return status 200 with identical body length — the application correctly normalises error messages. But the response time for valid usernames (alice: 312ms, bob.smith: 298ms) is consistently ~6× longer than invalid usernames (48-51ms). The timing difference occurs because valid usernames trigger a bcrypt password comparison — bcrypt is intentionally slow. Invalid usernames return immediately without the computation. Sorting Burp Intruder results by response time makes valid usernames immediately visible even when error messages are identical.

🛠️ EXERCISE 3 — BROWSER ADVANCED (15 MIN · NO INSTALL)

Find a Bug Bounty Programme with Authentication Testing in Scope

⏱️ 15 minutes · HackerOne or Bugcrowd account

Your next step after reading this article is finding a real target where authentication bypass testing is explicitly in scope. Here’s how to find the right programme.

Step 1: Browse HackerOne for authentication-scope programmes
hackerone.com/programs → filter by “authentication” in scope
Or search: programme policies mentioning “rate limiting”, “brute force”

Step 2: Read the programme policy carefully
Is brute force testing explicitly allowed or excluded?
What test account process does the programme require?
Is there a staging environment for testing?

Step 3: Find 3 programmes that explicitly allow authentication testing
Document: programme name, scope, test account method, bounty range

Step 4: For each programme, check disclosed reports
Has anyone already reported rate limiting bypass on this programme?
What was the outcome? Was it accepted or marked as informational?

Step 5: Choose one programme and complete the test account setup
Register a legitimate test account following the programme’s process
Note: some programmes require notifying them before authentication testing
Confirm the test account email is yours and the account is yours to test with

✅ You now have a real target with explicit authentication testing scope, a test account set up correctly, and disclosed report history telling you what’s already been found. The two minutes you spend reading disclosed reports before testing saves you from submitting a duplicate — and tells you exactly which bypass type hasn’t been tested yet on this programme. That gap is where your finding lives.

📸 Screenshot the programme policy section confirming authentication testing is in scope. Share in #bug-bounty

✅ 5 Authentication Bypass Techniques — Ready to Apply

Rate limit via IP header, CAPTCHA token reuse, timing enumeration, lockout logic flaws, MFA OTP rate limiting — five systematic tests, each applicable in under five minutes, each finding payouts consistently on major programmes. The next authentication form you encounter gets all five.

🧠 Quick Check

A login page has a 5-attempt lockout with CAPTCHA. You’ve solved the CAPTCHA once and have the token. You replay the same token with different passwords 10 times — the server accepts each attempt without re-prompting CAPTCHA and locks your account after 5 failures. What two findings are present and what are their severities?

❓ Brute Force & Auth Bypass FAQ

How do hackers bypass rate limiting on login pages?

Most rate limiting tracks attempts by source IP. Bypass: add X-Forwarded-For or X-Real-IP header with a different spoofed IP per attempt. If the application trusts these headers, the counter resets with each IP change. Well-implemented rate limiting validates these headers against trusted proxies and tracks per-account rather than per-IP.

What is credential stuffing and how is it different from brute force?

Credential stuffing uses real username:password pairs from data breaches. Success rate is low (0.1-2%) but the pairs are confirmed valid somewhere — most people reuse passwords. Brute force generates possible passwords from wordlists without prior breach data. Stuffing is more effective per attempt; brute force is more flexible for unknown targets.

Can CAPTCHAs be bypassed in bug bounty testing?

Yes — via token reuse. Solve the CAPTCHA once, capture the token, replay the same token on multiple login attempts. Many implementations don’t mark tokens as used after first acceptance. Also test: empty or missing token parameter — some applications don’t validate server-side at all.

Is testing login page brute force protections legal for bug bounty?

Yes — with your own test accounts, not affecting other users. Use dedicated test credentials, stay within programme scope, don’t trigger lockouts on real user accounts. Most programmes explicitly allow authentication testing. Document your methodology clearly in the report.

What is password spraying?

Testing one password against many usernames — the inverse of brute force. Against a 5-attempt lockout policy, brute force locks one account after 5 attempts. Spraying tests “Summer2026!” against 1,000 accounts — one attempt per account, never triggering any individual lockout. Highly effective against large user populations.

What CVSS score does a rate limiting bypass get?

Rate limiting bypass on login endpoints: typically Medium (CVSS 4.0-6.9). Higher if enabling unlimited credential stuffing with no other controls. Combined with username enumeration, chain rates High. Account lockout bypass alone: Low to Medium. Check programme’s vulnerability classification guide — some have explicit ratings for authentication findings.

← Previous

Gobuster vs ffuf vs Feroxbuster 2026

Social Engineering Scripts Pentesters Use

📚 Further Reading

Day 22 — GraphQL Bug Bounty — GraphQL APIs frequently have weaker authentication controls than REST endpoints — the same systematic testing approach from this article applies directly to GraphQL login and auth mutations.
Day 16 — Rate Limiting Bug Bounty — The dedicated rate limiting course module with additional bypass techniques covering non-login endpoints like password reset, OTP generation, and email verification flows.
How Hackers Bypass 2FA in 2026 — Full coverage of MFA bypass beyond OTP brute force — SIM swapping, SS7 attacks, real-time phishing proxies, and session token theft after MFA completion.
PortSwigger — Authentication Vulnerabilities Labs — Free lab environment covering every authentication bypass technique covered above with guided exercises and working solutions.
HackerOne Hacktivity — Disclosed Reports — Search “rate limiting” or “CAPTCHA bypass” to read real disclosed reports — the fastest way to understand what these findings look like in practice and how triagers rate them.

Mr Elite

Owner, SecurityElites.com

The rate limiting bypass on the FTSE 100 company took literally four minutes from first request to confirmed finding. Added X-Forwarded-For to a failed login request, changed the IP, sent it again — the lockout counter reset. That’s it. Four minutes, one header, a confirmed Medium finding on a major company’s primary login page. The thing that still surprises me every time is that these controls have been documented as bypassable for years. Developers continue to implement them incorrectly because testing authentication flows is rarely part of the standard QA process. That gap is where bug bounty hunters live.

#	Password	X-Forwarded-For	Status	Length
1	password123	10.0.0.1	200	842
2	Summer2026!	10.0.0.2	200	842
3	Welcome@1	10.0.0.3	200	3847
4	qwerty123	10.0.0.4	200	842

Username	Status	Response Time	Length	Valid?
notauser	200	48ms	842	No
alice	200	312ms	842	Yes ←
fakeuser	200	51ms	842	No
bob.smith	200	298ms	842	Yes ←

🎯 What You’ll Know After This

📋 How Hackers Brute Force Modern Login Pages – Contents

Bypass 1 — Rate Limit via IP Header Injection

Bypass 2 — CAPTCHA Token Reuse

Bypass 3 — Username Enumeration via Timing

Bypass 4 — Account Lockout Logic Flaws

Bypass 5 — MFA OTP Rate Limiting Absence

Chaining: Enumeration + Bypass = Account Takeover

✅ 5 Authentication Bypass Techniques — Ready to Apply

🧠 Quick Check

❓ Brute Force & Auth Bypass FAQ

📚 Further Reading

Leave a Comment Cancel reply