Missing Rate Limiting
detect, understand, remediate
Missing rate limiting allows attackers to send unlimited requests to sensitive endpoints, enabling brute-force attacks, credential stuffing, account enumeration, and denial of service.
No credit card required. Free plan available forever.
What is missing rate limiting?
Missing rate limiting is a vulnerability that occurs when an application does not restrict the number of requests a user or client can make to sensitive endpoints within a given time window. Without these controls, attackers can send unlimited requests to login forms, API endpoints, password reset flows, and other critical functions.
This absence enables a range of attacks including brute-force credential guessing, credential stuffing, enumeration of valid usernames or resources, and denial-of-service conditions. Even well-protected authentication mechanisms become vulnerable when attackers can make millions of attempts without restriction.
Rate limiting is a fundamental defensive control that should be applied at multiple layers: per IP address, per account, per API key, and at the API gateway level. Without it, the cost of attacking your application is effectively zero for the attacker.
How it works
Identify unprotected endpoint
The attacker discovers a sensitive endpoint (login, password reset, API) that does not throttle or limit incoming requests.
Automated request flooding
Using scripts or tools, the attacker sends thousands or millions of requests per minute to the unprotected endpoint.
Bypass authentication controls
Through sheer volume, the attacker brute-forces credentials, enumerates valid accounts, or exhausts OTP codes.
Account compromise or DoS
The attacker gains unauthorised access to accounts, or the flood of requests degrades or crashes the application for legitimate users.
Common causes
No rate limiting middleware
The application stack does not include any request throttling middleware, leaving all endpoints open to unlimited requests.
No account lockout mechanism
Failed login attempts are not tracked per account, allowing unlimited password guesses without triggering a lockout or delay.
Relying on client-side throttling
Rate limiting implemented only in the frontend can be trivially bypassed by making requests directly to the API.
No API gateway controls
The application is exposed directly without an API gateway or reverse proxy that could enforce request limits at the infrastructure level.
How to detect it
Automated detection
- SecPortal's scanner sends rapid sequential requests to login and API endpoints to verify that rate limiting headers and blocks are enforced
- Response header analysis checks for X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After headers
- Code scanning identifies authentication and API routes that lack rate limiting middleware or decorators
Manual testing
- Submit multiple rapid login attempts with invalid credentials and observe whether the application throttles or blocks the requests
- Test API endpoints with automated tools to determine the maximum request throughput before any limiting occurs
- Verify that rate limits apply per IP and per account, and cannot be bypassed by rotating headers or user agents
How to fix it
Implement per-IP and per-account rate limits
Apply request throttling at both the IP and account level to prevent distributed attacks and targeted account brute-forcing.
Use progressive delays after failed attempts
Introduce exponential backoff on failed authentication attempts, doubling the delay after each failure to make brute-force attacks impractical.
Deploy CAPTCHA after failed attempts
Present a CAPTCHA challenge after a threshold of failed login attempts to distinguish automated attacks from legitimate users.
Enforce API gateway throttling
Configure rate limiting at the API gateway or reverse proxy level to provide a baseline defence before requests reach the application.
Monitor for anomalous request patterns
Set up alerting for unusual request volumes, failed authentication spikes, and patterns consistent with credential stuffing attacks.
Compliance impact
Related vulnerabilities
Check your rate limiting
SecPortal's external scanner tests rate limiting on login, signup, and API endpoints. Start scanning for free.
No credit card required. Free plan available forever.