Share on :
A rate limit is a mechanism to stop an attacker from abusing a certain functionality mostly functionalities related to authentication, so what would go wrong if there's no limiting in place...
Imagine a web application implemented a function for forgotten passwords so it sends a code or a token to the account owner's email address so they can verify the authenticity of the password change request, for example the code is a 6-digit code, if there's no limiting for the number of requests sent to verify the code sent a hacker can brute-force all possible codes within minutes or even seconds.
Most websites use normal login forms for the authentication process, if an attacker is able to harvest the usernames or email addresses of the users he can perform a sophisticated brute-force attack against the password until it hits a right password
If a website implemented a two-factor authentication as an extra layer of authentication on the application this can be easily bypassed as the code is mostly a 6-digit code
a Credit card CVV is always 3 or 4 digits, so if an attacker have the credit card number of someone and the website is doing some sort of an authentication check on it before it's sent to the Bank API it can be brute-forced within seconds
Apply a check on the sender's real-IP address not the one in X-Forwarded-For header for example
When placing a rate limit on a login form it's best to freeze loging in for the victim account for some time
Don't store the number of trials on a cookie or something that is in the control of the user