Missing Rate Limiting

Learn how to prevent rate limiting attacks with real code examples and best practices. Protect your application from brute force attacks and denial of service.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Missing Rate Limiting and How Does it Work?

Missing Rate Limiting is a security vulnerability that occurs when an application fails to limit the number of requests a user or IP address can make within a specific time period. Without proper rate limiting, attackers can perform:

Brute force attacks on authentication endpoints
Denial of Service (DoS) attacks
API abuse and scraping
Resource exhaustion
Excessive costs in pay-per-use services

This guide covers Rate Limiting implementation, examples, prevention methods, and how to properly secure your endpoints using real-world techniques.

One Simple Rate Limiting Attack Example

Consider this vulnerable API endpoint without rate limiting:

app.post('/login', function(req, res) {
    const { username, password } = req.body;
    authenticateUser(username, password);
});

An attacker could make thousands of requests per second to this endpoint:

while true; do curl -X POST http://api.example.com/login; done

This could lead to:

Server overload Increased costs Successful brute force attacks

Rate Limiting Prevention Methods: How to Fix Your Code

The most efficient way to fix Missing Rate Limiting is by implementing a rate limiter middleware that tracks and limits requests based on various identifiers (IP address, user ID, API key).

Rate limiting can be implemented using different strategies such as fixed window, sliding window, or token bucket algorithms. Most frameworks and cloud services provide built-in rate limiting solutions.

Code Samples

Vulnerable Code

const express = require('express');
const router = express.Router();

router.get('/', function (req, res) {
    setHeaders(res);
    let params = getSessionParams(req);
    res.render('pages/index', params);
});

Fixed Code

const express = require('express');
const rateLimit = require('express-rate-limit');
const router = express.Router();

const limiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100 // limit each IP to 100 requests per windowMs
});

router.get('/', limiter, function (req, res) {
    setHeaders(res);
    let params = getSessionParams(req);
    res.render('pages/index', params);
});

Fix Explanation

The vulnerable code has no request limiting mechanism.The fix uses express-rate-limit middleware.Configures a 15-minute window with max 100 requests per IP.Additional options available for customization (error messages, headers, etc.).

Vulnerable Code

from flask import Flask

@app.route("/api/data")
def get_data():
    return jsonify({"data": "sensitive information"})

Fixed Code

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["200 per day", "50 per hour"]
)

@app.route("/api/data")
@limiter.limit("1 per second")
def get_data():
    return jsonify({"data": "sensitive information"})

Fix Explanation

The vulnerable code allows unlimited requests to the endpoint.The fix uses Flask-Limiter to implement rate limiting.Defines both global and route-specific limits.Supports multiple time windows and limit types.

Vulnerable Code

@RestController
public class ApiController {
    @GetMapping("/api/resource")
    public ResponseEntity<?> getResource() {
        return ResponseEntity.ok(resourceService.getData());
    }
}

Fixed Code

@RestController
public class ApiController {
    @GetMapping("/api/resource")
    @RateLimiter(name = "basic")
    public ResponseEntity<?> getResource() {
        return ResponseEntity.ok(resourceService.getData());
    }
}

@Configuration
public class RateLimitConfig {
    @Bean
    public RateLimiterConfig rateLimiterConfig() {
        return RateLimiterConfig.custom()
            .limitForPeriod(10)
            .limitRefreshPeriod(Duration.ofSeconds(1))
            .timeoutDuration(Duration.ofMillis(500))
            .build();
    }
}

Fix Explanation

The vulnerable code has no request throttling.The fix uses Spring Cloud Circuit Breaker's RateLimiter.Configures limits per time period and timeout duration.Provides fallback mechanisms for rate limit exceeded scenarios.

Vulnerable Code

Route::post('/api/endpoint', function (Request $request) {
    return response()->json(['status' => 'success']);
});

Fixed Code

Route::middleware('throttle:60,1')->group(function () {
    Route::post('/api/endpoint', function (Request $request) {
        return response()->json(['status' => 'success']);
    });
});

// In RouteServiceProvider.php
protected function configureRateLimiting()
{
    RateLimiter::for('api', function (Request $request) {
        return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
    });
}

Fix Explanation

The vulnerable code allows unlimited API requests.The fix uses Laravel's built-in throttle middleware.Limits requests to 60 per minute per user/IP.Supports custom rate limiting rules and response handling.

Vulnerable Code

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hello, World!")
}

http.HandleFunc("/", handler)

Fixed Code

import "golang.org/x/time/rate"

var limiter = rate.NewLimiter(rate.Every(time.Second), 10)

func rateLimitMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if !limiter.Allow() {
            http.Error(w, "Too many requests", http.StatusTooManyRequests)
            return
        }
        next.ServeHTTP(w, r)
    })
}

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hello, World!")
}

router := mux.NewRouter()
router.Handle("/", rateLimitMiddleware(http.HandlerFunc(handler)))

Fix Explanation

The vulnerable code has no request rate control.The fix uses Go's rate package to implement token bucket algorithm.Limits to 10 requests per second.Returns 429 Too Many Requests when limit is exceeded.

Need more help in implementing Rate Limiting?

Mobb supports fixing many forms of Missing Rate Limiting vulnerabilities, and can mitigate your issues in batch.

Start now for free at app.mobb.ai

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

Book a meeting or Contact us if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

PreviousMissing Check against Null NextRegex Missing Timeout

Last updated 11 months ago

hashtagTools recognizing this:

hashtagWhat is Missing Rate Limiting and How Does it Work?

hashtagOne Simple Rate Limiting Attack Example

hashtagRate Limiting Prevention Methods: How to Fix Your Code

hashtagCode Samples

hashtagNeed more help in implementing Rate Limiting?

hashtagWe'd love your feedback!

Tools recognizing this:

What is Missing Rate Limiting and How Does it Work?

One Simple Rate Limiting Attack Example

Rate Limiting Prevention Methods: How to Fix Your Code

Code Samples

Need more help in implementing Rate Limiting?

We'd love your feedback!