Lack of Rate Limiting

Description

Lack of Rate Limiting (also known as insufficient request throttling) is a vulnerability where a web application or API allows users to make an unlimited number of requests over a short period without restriction. This oversight enables attackers or malicious bots to perform high-volume actions such as brute-forcing credentials, spamming, or launching denial-of-service attacks. Without rate limits, an application may become overwhelmed or experience performance degradation, leading to service outages or unauthorized access to user accounts.

Rate limiting typically involves applying thresholds on how many requests a user (or IP address) can make within a defined timeframe. When these limits are not in place, attackers can systematically abuse application functionality faster than most protective measures or manual detection methods can respond.

Examples

Brute-Force Attacks on Login Pages

If an attacker can attempt thousands of username-password combinations in quick succession, they have a higher chance of guessing valid credentials. Without rate limiting or lockout mechanisms, the attacker faces virtually no barriers.

Enumeration of User IDs or Resources

When an API endpoint allows fetching resource details by ID without restricting request volume, an attacker can quickly loop through possible IDs (e.g., incrementing integers) to scrape sensitive or proprietary information.

Denial-of-Service (DoS) or Resource Exhaustion

Bots or malicious scripts can repeatedly request resource-intensive pages or functions. If the server is unable to throttle the requests, it may become overloaded, impacting legitimate users.

Automated Form Submission and Spam

Forms that accept user-generated content (e.g., comments, posts, messages) can be flooded with spam or malicious links if an attacker can submit them without frequency limits.

Remediation

  1. Implement Request Throttling

    • Use built-in or third-party libraries that monitor request rates and block or delay requests exceeding configured thresholds.
    • Apply thresholds based on IP address, session tokens, or user accounts to prevent large bursts of requests.

  2. Introduce Account Lockouts or Captchas

    • Temporarily lock or challenge user accounts (e.g., via CAPTCHA) after repeated failed login attempts.
    • This step significantly increases the time and effort required for brute-force attacks.

  3. Enforce Strong Authentication and Password Policies

    • Encourage or enforce robust passwords and MFA to reduce the likelihood that brute-force attacks will succeed, even if rate limiting is not fully restrictive.
    • This is a complementary safeguard alongside rate limiting.

  4. Monitor and Alert on Anomalous Traffic

    • Use logging, analytics, and anomaly detection tools to identify surges in request volume or patterns indicative of automated scripts.
    • Generate alerts for high frequencies of requests targeting specific endpoints, allowing administrators to take action quickly.

  5. Layered Approach with Web Application Firewalls (WAF)

    • Configure WAF rules to detect and mitigate excessive requests or repeated patterns aimed at sensitive endpoints.
    • Block or throttle abusive IP addresses or suspicious traffic sources.