To fully evaluate a rate limiting / brute forcing report, we generally need four things:
1) The endpoint to which the actual request goes (Eg,
facebook.com/test/thing.php?p=1
)
2) The total number of requests/attempts you were able to make. (Eg, 1000)
3) The time in which you made those requests/attempts. (Eg, 1000 in 2 minutes)
4) Some demonstration that you weren't actually just silently locked out (Eg, request 1001 was the correct guess and worked as normal.)
Thanks,
Randy
Security