WAF rate limiting applied per browser session rather than per client

During testing, the application's Vercel WAF triggered a rate-limiting or verification block, returning a "Failed to verify your browser" message (Code 705) from the Vercel Security Checkpoint.

However, the restriction appeared to be scoped to the affected browser session only. When the application was accessed from a different browser on the same machine and network, normal access was restored immediately, without additional verification or cooldown.

This suggests the rate-limiting or verification control was enforced per browser context (cookies, local storage, browser fingerprint) rather than at the client, IP, or network level.

Vulnerable scenario:

1. Trigger WAF protection through repeated requests or automated interaction.
2. Observe browser-level block with message "Failed to verify your browser (Code 705)".
3. Open a different browser on the same host.
4. Navigate to the application.
5. Observe normal access without WAF restriction.

This is not a full WAF bypass but reduces the effectiveness of rate-limiting and abuse-prevention by allowing an attacker to:

• Evade temporary rate limits by switching browsers.
• Continue automated or semi-automated testing across multiple browser contexts.
• Increase request volume without triggering sustained blocking.
• Circumvent browser-scoped verification challenges.

• Review Vercel WAF rate-limiting and challenge configuration.
• Prefer enforcement based on IP, ASN, client fingerprint, or session + IP correlation.
• Ensure verification challenges persist across browser contexts when appropriate.
• Align WAF behavior with the intended threat model (abuse prevention vs user friction).

Novaswap: Confirmed. Zealynx: Fixed.