Missing Rate Limiting

Vulnerability Details

The application does not implement rate limiting on sensitive endpoints, allowing unlimited requests that could facilitate brute force attacks or denial of service.

Attackers can perform unlimited login attempts, enumerate valid usernames, exhaust server resources, or abuse API endpoints without restriction.

Implement rate limiting on authentication endpoints with exponential backoff. Add CAPTCHA after failed attempts. Consider implementing account lockout policies. Use API gateways with built-in rate limiting.

• https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks