HawkScan Test Info for API Lack of Rate Limiting

API Lack of Rate Limiting

Reference

Plugin Id: 40052 | CWE: 770

Resource

https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html

Remediation

To mitigate API Rate Limiting vulnerabilities, implement the following security measures:

Rate Limiting Controls: Implement rate limiting on all API endpoints to prevent abuse and DoS attacks. Set appropriate limits based on expected usage patterns.
Progressive Penalties: Implement progressive rate limiting with increasing penalties for repeated violations, including temporary blocking.
Resource Usage Monitoring: Monitor API resource consumption and implement controls to prevent resource exhaustion attacks.
Client Identification: Implement proper client identification mechanisms to apply rate limits effectively per client or user.

About

Lack of Rate Limiting in APIs occurs when endpoints do not implement proper controls to limit the number of requests from clients, leading to potential abuse and resource exhaustion. This corresponds to OWASP API Security Top 10 2023 - API04: Unrestricted Resource Consumption.

Risks

Lack of API Rate Limiting can result in:

Denial of Service (DoS) attacks
Resource exhaustion and service degradation
Increased infrastructure costs
Brute force attacks against API endpoints
System instability and poor user experience