Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Missing Rate Limiting and How Does it Work?
  • One Simple Rate Limiting Attack Example
  • Rate Limiting Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in implementing Rate Limiting?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

Missing Rate Limiting

Learn how to prevent rate limiting attacks with real code examples and best practices. Protect your application from brute force attacks and denial of service.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Missing Rate Limiting and How Does it Work?

Missing Rate Limiting is a security vulnerability that occurs when an application fails to limit the number of requests a user or IP address can make within a specific time period. Without proper rate limiting, attackers can perform:

  • Brute force attacks on authentication endpoints

  • Denial of Service (DoS) attacks

  • API abuse and scraping

  • Resource exhaustion

  • Excessive costs in pay-per-use services

This guide covers Rate Limiting implementation, examples, prevention methods, and how to properly secure your endpoints using real-world techniques.

One Simple Rate Limiting Attack Example

Consider this vulnerable API endpoint without rate limiting:

app.post('/login', function(req, res) {
    const { username, password } = req.body;
    authenticateUser(username, password);
});

An attacker could make thousands of requests per second to this endpoint:

while true; do curl -X POST http://api.example.com/login; done

This could lead to:

Server overload Increased costs Successful brute force attacks

Rate Limiting Prevention Methods: How to Fix Your Code

The most efficient way to fix Missing Rate Limiting is by implementing a rate limiter middleware that tracks and limits requests based on various identifiers (IP address, user ID, API key).

Rate limiting can be implemented using different strategies such as fixed window, sliding window, or token bucket algorithms. Most frameworks and cloud services provide built-in rate limiting solutions.

Code Samples

Vulnerable Code

const express = require('express');
const router = express.Router();

router.get('/', function (req, res) {
    setHeaders(res);
    let params = getSessionParams(req);
    res.render('pages/index', params);
});

Fixed Code

const express = require('express');
const rateLimit = require('express-rate-limit');
const router = express.Router();

const limiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100 // limit each IP to 100 requests per windowMs
});

router.get('/', limiter, function (req, res) {
    setHeaders(res);
    let params = getSessionParams(req);
    res.render('pages/index', params);
});

Fix Explanation

The vulnerable code has no request limiting mechanism.The fix uses express-rate-limit middleware.Configures a 15-minute window with max 100 requests per IP.Additional options available for customization (error messages, headers, etc.).

Vulnerable Code

from flask import Flask

@app.route("/api/data")
def get_data():
    return jsonify({"data": "sensitive information"})

Fixed Code

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["200 per day", "50 per hour"]
)

@app.route("/api/data")
@limiter.limit("1 per second")
def get_data():
    return jsonify({"data": "sensitive information"})

Fix Explanation

The vulnerable code allows unlimited requests to the endpoint.The fix uses Flask-Limiter to implement rate limiting.Defines both global and route-specific limits.Supports multiple time windows and limit types.

Vulnerable Code

@RestController
public class ApiController {
    @GetMapping("/api/resource")
    public ResponseEntity<?> getResource() {
        return ResponseEntity.ok(resourceService.getData());
    }
}

Fixed Code

@RestController
public class ApiController {
    @GetMapping("/api/resource")
    @RateLimiter(name = "basic")
    public ResponseEntity<?> getResource() {
        return ResponseEntity.ok(resourceService.getData());
    }
}

@Configuration
public class RateLimitConfig {
    @Bean
    public RateLimiterConfig rateLimiterConfig() {
        return RateLimiterConfig.custom()
            .limitForPeriod(10)
            .limitRefreshPeriod(Duration.ofSeconds(1))
            .timeoutDuration(Duration.ofMillis(500))
            .build();
    }
}

Fix Explanation

The vulnerable code has no request throttling.The fix uses Spring Cloud Circuit Breaker's RateLimiter.Configures limits per time period and timeout duration.Provides fallback mechanisms for rate limit exceeded scenarios.

Vulnerable Code

Route::post('/api/endpoint', function (Request $request) {
    return response()->json(['status' => 'success']);
});

Fixed Code

Route::middleware('throttle:60,1')->group(function () {
    Route::post('/api/endpoint', function (Request $request) {
        return response()->json(['status' => 'success']);
    });
});

// In RouteServiceProvider.php
protected function configureRateLimiting()
{
    RateLimiter::for('api', function (Request $request) {
        return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
    });
}

Fix Explanation

The vulnerable code allows unlimited API requests.The fix uses Laravel's built-in throttle middleware.Limits requests to 60 per minute per user/IP.Supports custom rate limiting rules and response handling.

Vulnerable Code

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hello, World!")
}

http.HandleFunc("/", handler)

Fixed Code

import "golang.org/x/time/rate"

var limiter = rate.NewLimiter(rate.Every(time.Second), 10)

func rateLimitMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if !limiter.Allow() {
            http.Error(w, "Too many requests", http.StatusTooManyRequests)
            return
        }
        next.ServeHTTP(w, r)
    })
}

func handler(w http.ResponseWriter, r *http.Request) {
    fmt.Fprintf(w, "Hello, World!")
}

router := mux.NewRouter()
router.Handle("/", rateLimitMiddleware(http.HandlerFunc(handler)))

Fix Explanation

The vulnerable code has no request rate control.The fix uses Go's rate package to implement token bucket algorithm.Limits to 10 requests per second.Returns 429 Too Many Requests when limit is exceeded.

Need more help in implementing Rate Limiting?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousMissing Check against NullNextRegex Missing Timeout

Last updated 2 months ago

Was this helpful?

supports fixing many forms of Missing Rate Limiting vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us