missing-rate-limiting-anti-pattern
Missing Rate Limiting Anti-Pattern
Severity: High
Summary
Applications fail to restrict action frequency, allowing unlimited requests to endpoints. Enables brute-force attacks, data scraping, and denial-of-service through resource-intensive requests.
The Anti-Pattern
The anti-pattern is exposing endpoints (especially authentication/resource-intensive) without controlling request frequency per user or IP.
BAD Code Example
# VULNERABLE: The login endpoint has no rate limiting.
from flask import request, jsonify
@app.route("/api/login", methods=["POST"])
def login():
username = request.form.get("username")
password = request.form.get("password")
# Endpoint callable thousands of times per minute from same IP.
# Attacker uses password lists for brute-force/credential stuffing,
# trying millions of passwords until finding correct one.
if check_credentials(username, password):
return jsonify({"status": "success", "token": generate_token(username)})
else:
return jsonify({"status": "failed"}), 401
# Search endpoint without rate limiting.
@app.route("/api/search")
def search():
query = request.args.get("q")
# Attacker rapidly hits endpoint, scraping data or causing
# DoS through heavy database work.
results = perform_complex_search(query)
return jsonify(results)
GOOD Code Example
# SECURE: Implement rate limiting using middleware and a tracking backend like Redis.
from flask import request, jsonify
from redis import Redis
from functools import wraps
redis = Redis()
def rate_limit(limit, per, scope_func):
def decorator(f):
@wraps(f)
def decorated_function(*args, **kwargs):
key = f"rate-limit:{scope_func(request)}:{request.endpoint}"
# Increment count for current key.
# Expire after `per` seconds on first request in window.
p = redis.pipeline()
p.incr(key)
p.expire(key, per)
count = p.execute()[0]
if count > limit:
return jsonify({"error": "Rate limit exceeded"}), 429
return f(*args, **kwargs)
return decorated_function
return decorator
# Get identifier for rate limit scope (IP address).
def get_ip(request):
return request.remote_addr
# Apply different rate limits per endpoint.
@app.route("/api/login", methods=["POST"])
@rate_limit(limit=10, per=60*5, scope_func=get_ip) # 10 requests/5min per IP
def login_secure():
# ... login logic ...
pass
@app.route("/api/search")
@rate_limit(limit=100, per=60, scope_func=get_ip) # 100 requests/min per IP
def search_secure():
# ... search logic ...
pass
Detection
- Review public endpoints: Examine all endpoints that can be accessed without authentication. Do they have rate limiting?
- Check authentication endpoints: Specifically look at login, password reset, and registration endpoints. These are prime targets for brute-force attacks if not rate-limited.
- Analyze API design: For public APIs, check if there is a documented rate-limiting policy (e.g., in the API documentation).
- Perform testing: Write a simple script to hit a single endpoint in a tight loop. If you don't receive a
429 Too Many Requestsstatus code after a certain number of attempts, the endpoint is likely missing rate limiting.
Prevention
- Implement IP-based rate limiting: All public endpoints, especially authentication/sensitive ones.
- Implement account-based rate limiting: Prevent authenticated users from abusing system.
- Use appropriate algorithm: Token Bucket, Leaky Bucket, or Fixed/Sliding Window. Most frameworks have middleware.
- Return
429 Too Many Requests: IncludeRetry-Afterheader indicating retry time. - Log rate limit violations: Identify and respond to potential attacks.
- Consider account lockouts for login: Additional defense after failed attempts.
Related Security Patterns & Anti-Patterns
- Missing Authentication Anti-Pattern: Endpoints that are missing authentication are at even greater risk if they also lack rate limiting.
- Denial of Service (DoS): Missing rate limiting is a primary cause of application-layer DoS vulnerabilities.
References
More from igbuend/grimbard
tikz
LaTeX TikZ/PGF package for programmatic vector graphics and diagrams. Use when helping users draw flowcharts, trees, graphs, automata, circuits, geometric figures, or any custom diagram in LaTeX.
95latex
Comprehensive LaTeX reference for document creation, formatting, mathematics, tables, figures, bibliographies, and compilation. Use when helping users write, edit, debug, or compile LaTeX documents.
38pgfplots
LaTeX pgfplots package for data visualization and plotting. Use when helping users create line plots, bar charts, scatter plots, histograms, 3D surfaces, or any scientific/data plot in LaTeX.
34biblatex
LaTeX biblatex/biber packages for modern bibliography management. Use when helping users cite references, manage .bib files, choose citation styles, or troubleshoot bibliography compilation.
24ethical-hacking-ethics
Legal and ethical guidelines for bug bounties, pentesting, and security research. Use when conducting authorized security testing.
12amsmath
LaTeX amsmath/amssymb/mathtools packages for mathematical typesetting. Use when helping users write equations, align math, use mathematical symbols, matrices, theorems, or any advanced math formatting.
12