Lack of Rate Limiting

Without the use of rate limiting, an adversary can make numerous repetitive requests and quickly deplete the available resources. This can result in denial of service or large-scale information leakage.

Remediation

Considering the business context of the program, implement a rate limit on every exposed endpoint (e.g., REST, GraphQL, etc.).

Metadata

Severity: low
Slug: lack-of-rate-limiting

CWEs

770: Allocation of Resources Without Limits or Throttling
400: Uncontrolled Resource Consumption

OWASP

A05:2021: Security Misconfiguration

Available Labs

Open Java labs in SecDim Play for this vulnerability.

medium

No Sutpo.java

Java Medium Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.