Skip to main content
Version: v1

Rate Limiting Issues

RateLimit

What is it?

Rate Limiting Issues occur when APIs fail to properly restrict the number or frequency of requests a client can make within a given time window.

Without effective rate limiting, APIs become vulnerable to abuse scenarios such as brute force attacks, credential stuffing, enumeration, scraping, and amplification of Denial of Service (DoS).

Rate limiting is a preventive control, distinct from DoS vulnerabilities, that ensures fair usage and protects backend systems from excessive or abusive traffic.

What are specific examples?

  • No rate limits on authentication endpoints (login, OTP, password reset)
  • Unlimited requests per user, API key, or IP address
  • Weak or easily bypassable throttling mechanisms
  • Rate limits applied inconsistently across endpoints
  • Missing rate limits on resource enumeration APIs
  • Shared rate limits across tenants leading to noisy neighbor issues
  • Lack of adaptive throttling for suspicious behavior

Test case FAQs

When is this test case applicable?

  • Authentication and account-related endpoints
  • Public APIs exposed to external users
  • Endpoints susceptible to enumeration or brute force
  • High-frequency or resource-sensitive operations

How does it work?

Prerequisites

  • Identification of endpoints expected to enforce rate limits
  • Ability to generate repeated or concurrent requests
  • Optional variation across identities (IP, user, API key)

Test sequence

  1. Send a burst of requests to the target endpoint within a short time window
  2. Gradually increase request frequency and concurrency
  3. Observe for rate limiting responses (e.g., 429 Too Many Requests)
  4. Attempt bypass techniques:
    • Changing IP addresses or headers
    • Rotating API keys or user accounts
    • Modifying request patterns
  5. Evaluate consistency of rate limiting across:
    • Different endpoints
    • Different users or roles
  6. Measure threshold limits and enforcement behavior

Success/Failure indications

  • Failure (vulnerable):

    • No rate limiting enforced under high request volume
    • Excessive requests processed without throttling
    • Rate limits easily bypassed using simple techniques
    • Inconsistent enforcement across endpoints or identities

  • Success (secure):

    • Requests are throttled after defined thresholds (429 responses)
    • Rate limits enforced consistently across endpoints
    • Bypass attempts are ineffective
    • Adaptive controls triggered for suspicious patterns

What is the solution?

  • Implement per-user, per-IP, and per-API key rate limits
  • Apply stricter limits on sensitive endpoints (authentication, financial actions)
  • Use adaptive rate limiting based on behavior and risk signals
  • Enforce global and endpoint-specific thresholds
  • Return clear rate limit headers (Retry-After, quota info)
  • Monitor and alert on abnormal request patterns
  • Combine rate limiting with CAPTCHA or MFA for high-risk flows

References

Was this page helpful?