Missing Rate Limit

Share on :

A rate limit is a mechanism to stop an attacker from abusing a certain functionality mostly functionalities related to authentication, so what would go wrong if there's no limiting in place...

Examples for abusing the absence of rate limiting

  • Password reset tokens :

    Imagine a web application implemented a function for forgotten passwords so it sends a code or a token to the account owner's email address so they can verify the authenticity of the password change request, for example the code is a 6-digit code, if there's no limiting for the number of requests sent to verify the code sent a hacker can brute-force all possible codes within minutes or even seconds.

  • Login forms :

    Most websites use normal login forms for the authentication process, if an attacker is able to harvest the usernames or email addresses of the users he can perform a sophisticated brute-force attack against the password until it hits a right password

  • Two-factor authentication :

    If a website implemented a two-factor authentication as an extra layer of authentication on the application this can be easily bypassed as the code is mostly a 6-digit code

  • Credit card CVV :

    a Credit card CVV is always 3 or 4 digits, so if an attacker have the credit card number of someone and the website is doing some sort of an authentication check on it before it's sent to the Bank API it can be brute-forced within seconds

Recommended solutions :

  • Apply a check on the sender's real-IP address not the one in X-Forwarded-For header for example

  • When placing a rate limit on a login form it's best to freeze loging in for the victim account for some time

  • Don't store the number of trials on a cookie or something that is in the control of the user