What is rate limiting?
Rate limiting refers to the practice of controlling the number of requests that can be made to a service over a defined period. For instance, an API might allow only 100 requests per minute from a single user or IP address. If this limit is exceeded, the service will typically return an error message indicating that the rate limit has been surpassed.
Discover
Let’s see there is a feature for inviting teammate on a web app.
Users can send invitation to team member’s email.
Go to any temporary online email service and use it to receive the invitation later.
- Intercept the traffic when the invitation is being sent.
- Sent the traffic to Intruder.
- Choose attacker type :
Sniper - Go to Payloads tab and select
Null payloadsfor payload type, under Payload sets. - Start Attack
- After finishing the attack, if only 200 status code is shown, it is vulnerable.
- Check email inbox, it must have 100+ invitations coming in.
Impact
- Emailing bombing
- Resource Wastage
- Denial of Service
Mitigation
- Rate limit function
- CAPTCHA