Rate Limit Analyzer
Configuration Name: RateLimit
Description
The RateLimit analyzer performs an analysis that checks for proper use of rate limiting
headers (x-rate-limit-limit, x-rate-limit-remaining, x-rate-limit-reset)
in an HTTP response. A finding is reported when a response for an operation
does not contain rate limiting headers or does not properly update the values
of the headers.
Background
API requests serviced by an application consume resources like CPU, memory, network, and storage. The amount of resources utilized depend greatly on the implementation of the application. The concurrent nature of client requests can increase the demand on resources. An API is vulnerable to this class of attacks if it does not any implement any resources constraints or rate limiting on operations serviced by the API.
A malicious attack can greatly impact the service KPIs and SLAs by exploiting a lack of rate limiting. An attach may piggy back on this vulnerability to exploit other vulnerabilities like Broken User Authentication that require a large number of requests.
Remedy
API should implement and provide valid rate limit header implementations.
Faults Reported
| Fault Identifier | Title | Summary | Solution | Severity |
|---|---|---|---|---|
| CWE-400 | Uncontrolled Resource Consumption | Application does not implement throttling for the rate of requests that a client may issue. | Implement request rate limiting in the application. | medium, low |