Missing rate limiting allows attackers to perform brute force attacks, credential stuffing, API abuse, and denial of service by making unlimited requests.
Missing Rate Limiting is a vulnerability where an application does not restrict the number or frequency of requests a user or client can make to a particular endpoint or resource. Without rate limits, there is no mechanism to prevent abuse of API endpoints, authentication forms, or resource-intensive operations.
This vulnerability is particularly relevant for: login and authentication endpoints (allowing brute force attacks); password reset and OTP verification endpoints (allowing enumeration and bypasses); API endpoints that return sensitive data (allowing mass data harvesting); resource-intensive operations like file processing or report generation (allowing resource exhaustion); and endpoints that send emails or SMS messages (allowing spam or cost amplification).
Without rate limiting, attackers can automate attacks at scale. Credential stuffing attacks can try thousands of username/password combinations per second. API abuse can extract large volumes of data or incur significant compute costs. Brute force attacks on OTP codes or short tokens become feasible. Denial of service attacks can overwhelm backend resources. For SaaS applications, missing rate limits can lead to unexpected infrastructure costs as attackers consume compute, bandwidth, and third-party API quotas. Rate limiting is also a requirement for compliance with many security standards.
Implement rate limiting on all externally accessible endpoints, with stricter limits on authentication and sensitive operations. Use a distributed rate limiting solution (Upstash, Redis) for serverless deployments. Apply different rate limit tiers based on authentication status and user role. Implement exponential backoff for failed authentication attempts. Use CAPTCHA as a secondary defense for endpoints under heavy abuse. Return appropriate HTTP 429 (Too Many Requests) responses with Retry-After headers. Monitor rate limit hits to detect attack patterns. Consider using an API gateway (Kong, AWS API Gateway) that provides built-in rate limiting. Implement per-user, per-IP, and global rate limits as separate layers.
Select your framework for a detailed guide on fixing Missing Rate Limiting with framework-specific code examples and security checklists.
Cross-Site Scripting (XSS)
XSS allows attackers to inject malicious scripts into web pages viewed by other users, enabling session hijacking, data theft, and defacement.
SQL Injection
SQL Injection allows attackers to interfere with database queries, potentially reading, modifying, or deleting data, and in some cases executing system commands.
Cross-Site Request Forgery (CSRF)
CSRF forces authenticated users to execute unwanted actions on a web application, exploiting the trust a site has in a user's browser.
Insecure Direct Object References (IDOR)
IDOR occurs when an application exposes internal implementation objects (like database IDs) and fails to verify that users are authorized to access the referenced resource.
Broken Authentication
Broken authentication encompasses weaknesses in session management, credential handling, and identity verification that allow attackers to compromise user accounts.
Security Misconfiguration
Security misconfiguration encompasses insecure default settings, open cloud storage, verbose error messages, unnecessary features, and missing security headers.
Sensitive Data Exposure
Sensitive data exposure occurs when applications fail to adequately protect sensitive information like credentials, tokens, personal data, or financial information.
JWT Vulnerabilities
JWT vulnerabilities include algorithm confusion, missing validation, token leakage, and improper key management that can lead to authentication bypass.
Path Traversal
Path traversal allows attackers to access files and directories stored outside the intended directory by manipulating file path references.
Command Injection
Command injection allows attackers to execute arbitrary operating system commands on the server through vulnerable application interfaces.
Server-Side Request Forgery (SSRF)
SSRF allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services, metadata APIs, and private networks.
File Upload Vulnerabilities
Insecure file upload handling can allow attackers to upload malicious files including web shells, malware, or files that exploit server-side processing.
Insecure Deserialization
Insecure deserialization allows attackers to manipulate serialized objects to achieve remote code execution, replay attacks, injection, or privilege escalation.
Row Level Security (RLS) Bypass
RLS bypass vulnerabilities occur when database-level access policies are missing, misconfigured, or can be circumvented, exposing data across tenant boundaries.
SafeVibe runs automated penetration tests to detect Missing Rate Limiting and 14 other vulnerability types in your application.
Start Free Scan