Vulnerability Details
Severity:
Medium
Category:
API
Description
The API lacks rate limiting controls, allowing unlimited requests to be sent to API endpoints, which can facilitate brute force attacks or resource exhaustion.
Risks
An attacker could perform brute force attacks against authentication endpoints, enumerate resources, exhaust server resources causing denial of service, or abuse costly API operations without restriction.
Remediation
Implement rate limiting on all API endpoints using token bucket or sliding window algorithms. Set appropriate limits per user, IP, and endpoint. Return 429 Too Many Requests with Retry-After headers. Implement graduated rate limiting for sensitive endpoints.