Medium SeverityA04:2021 - Insecure DesignCWE-770

How to Fix Missing Rate Limiting in ASP.NET

Learn how to prevent and fix Missing Rate Limiting vulnerabilities in ASP.NET applications. Step-by-step guide with code examples, security checklists, and best practices.

What Is Missing Rate Limiting?

Missing Rate Limiting is a vulnerability where an application does not restrict the number or frequency of requests a user or client can make to a particular endpoint or resource. Without rate limits, there is no mechanism to prevent abuse of API endpoints, authentication forms, or resource-intensive operations.

This vulnerability is particularly relevant for: login and authentication endpoints (allowing brute force attacks); password reset and OTP verification endpoints (allowing enumeration and bypasses); API endpoints that return sensitive data (allowing mass data harvesting); resource-intensive operations like file processing or report generation (allowing resource exhaustion); and endpoints that send emails or SMS messages (allowing spam or cost amplification).

In serverless and edge environments (Vercel, Cloudflare Workers), traditional rate limiting using in-memory counters does not work because each request may be handled by a different instance. Applications in these environments need distributed rate limiting using external stores like Redis, Upstash, or purpose-built services.

Why It Matters

Without rate limiting, attackers can automate attacks at scale. Credential stuffing attacks can try thousands of username/password combinations per second. API abuse can extract large volumes of data or incur significant compute costs. Brute force attacks on OTP codes or short tokens become feasible. Denial of service attacks can overwhelm backend resources. For SaaS applications, missing rate limits can lead to unexpected infrastructure costs as attackers consume compute, bandwidth, and third-party API quotas. Rate limiting is also a requirement for compliance with many security standards.

How to Fix It in ASP.NET

Implement rate limiting on all externally accessible endpoints, with stricter limits on authentication and sensitive operations. Use a distributed rate limiting solution (Upstash, Redis) for serverless deployments. Apply different rate limit tiers based on authentication status and user role. Implement exponential backoff for failed authentication attempts. Use CAPTCHA as a secondary defense for endpoints under heavy abuse. Return appropriate HTTP 429 (Too Many Requests) responses with Retry-After headers. Monitor rate limit hits to detect attack patterns. Consider using an API gateway (Kong, AWS API Gateway) that provides built-in rate limiting. Implement per-user, per-IP, and global rate limits as separate layers.

ASP.NET-Specific Advice

Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.

ASP.NET Security Checklist for Missing Rate Limiting

Add rate limiting to all authentication endpoints in ASP.NET

Implement per-user, per-IP, and global rate limit tiers

Use a distributed rate limiting solution (Upstash, Redis) for serverless deployments

Return HTTP 429 responses with Retry-After headers when limits are exceeded

Add CAPTCHA as a secondary defense for heavily abused endpoints

Monitor rate limit hits to detect and respond to attack patterns

Run SafeVibe's rate limiting scan on your ASP.NET application

ASP.NET Security Best Practices

Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.

Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.

ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.

Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.

Use ASP.NET Identity for authentication with proper password hashing (PBKDF2 by default). Never implement custom password storage.

Configure HTTPS redirection and HSTS in `Program.cs`. Use `app.UseHttpsRedirection()` and `app.UseHsts()` in production.

Use `[Authorize]` attributes and policy-based authorization for route-level and action-level access control.

Implement rate limiting using ASP.NET Core's built-in `RateLimiter` middleware (available from .NET 7+).

Scan Your ASP.NET App with SafeVibe

Stop guessing if your ASP.NET app is vulnerable to Missing Rate Limiting. Run an automated penetration test in minutes and get actionable results.

Start Free Scan

Related Guides

Missing Rate Limiting in Other Frameworks

Next.js Nuxt SvelteKit Remix

View all Missing Rate Limiting guides

More ASP.NET Security Guides

Cross-Site Scripting (XSS)SQL Injection Cross-Site Request Forgery (CSRF)Insecure Direct Object References (IDOR)

View all ASP.NET guides

What Is Missing Rate Limiting?

Why It Matters

How to Fix It in ASP.NET

ASP.NET-Specific Advice

Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.