Missing API Rate Limiting

How attackers find and exploit it

• Enumerate the target's API surface through passive recon: crawl JavaScript bundles, mobile-app traffic, public OpenAPI or Swagger documents, and DNS records to build a list of reachable endpoints such as /api/v1/login, /graphql, /password-reset, and /search.
• Probe each endpoint with a short burst of identical requests and watch for the absence of HTTP 429 responses, Retry-After headers, or X-RateLimit-* headers, which signals that no throttling is enforced.
• Identify the highest-value unthrottled endpoint, prioritizing authentication and OTP/reset flows for account takeover, and search or pagination endpoints for scraping.
• Run credential stuffing or password spraying by replaying breached credential lists at high volume, often distributed across a proxy or residential botnet to defeat any per-IP heuristics, until valid sessions are obtained.
• Abuse expensive operations to exhaust resources or drive cost: send large or batched payloads (for example GraphQL query batching or deeply nested queries), request oversized pagination like ?limit=9999999, or loop SMS/email triggers to overwhelm CPU, memory, third-party quotas, or billing.
• Automate enumeration of objects and accounts by iterating identifiers or usernames to harvest data and confirm which accounts exist, using error and timing differences as oracles.

How to detect it on your surface

• Inventory every internet-reachable API endpoint, including undocumented, legacy, and versioned paths (v1, v2, internal/), since rate limiting is frequently applied to the primary login form but forgotten on a parallel mobile or partner endpoint.
• For each endpoint, send a controlled burst of authenticated and unauthenticated requests from a single source and record whether the server ever returns 429 or begins delaying responses.
• Inspect responses for rate-limit signaling headers (X-RateLimit-Limit, X-RateLimit-Remaining, RateLimit, Retry-After); their total absence across an endpoint is a strong indicator that no limit is enforced.
• Test authentication-specific protections separately: submit repeated failed logins for a single account and from a single IP to confirm whether account lockout, exponential backoff, or anti-automation (CAPTCHA, MFA step-up) ever engages.
• Review API gateway, WAF, and load-balancer configuration to confirm a rate-limiting or throttling policy is actually bound to each route rather than merely available but unattached.

Detection signals

• Hundreds of consecutive requests from one client receive 200/401/403 responses with no 429 'Too Many Requests' ever returned.
• Responses lack any rate-limit headers such as X-RateLimit-Remaining, RateLimit-Limit, or Retry-After even under sustained load.
• Login or reset endpoints accept unlimited failed attempts against the same account with no lockout, no increasing delay, and no CAPTCHA or MFA challenge.
• Pagination, search, or GraphQL endpoints honor arbitrarily large or batched requests (for example very large limit/page-size values or multi-operation batched mutations) without rejection.
• Server-side latency, CPU, or error rates climb in proportion to request volume from a single source, indicating no upstream throttle is shedding load.

Validate before you report

• Reproduce the missing limit safely: from a single controlled source, send a bounded sequence of requests (for example 100 over 60 seconds) to the candidate endpoint and confirm no 429 or throttling delay appears, capturing full request/response pairs as evidence.
• Distinguish a true unthrottled endpoint from an upstream block by confirming responses remain legitimate application responses (valid 200/401/403 bodies) rather than WAF or CDN interstitials.
• Test the specific abuse path that defines the finding, for example repeated failed logins for one account to prove no lockout, or an oversized/batched request to prove no payload cap, rather than only measuring raw request count.
• Verify the control is genuinely absent and not just permissive by comparing behavior against a sibling endpoint or documented policy, ruling out a high-but-present threshold.
• Record the evidence set, the endpoint, method, timestamps, request volume, and the absent 429/lockout, so the finding is reproducible and severity can be assigned to the actual reachable path.

What looks like this but isn't

• A high threshold is not the same as no limit: an endpoint that tolerates 100 requests but returns 429 at 500 is rate limited, so confirm the cap is truly absent before flagging.
• Throttling may live upstream at a CDN, WAF, or API gateway rather than on the application, so a clean origin response does not prove the public-facing path is unprotected; test through the real internet-facing hostname.
• Authentication endpoints may enforce per-account lockout or CAPTCHA instead of per-IP rate limiting, which still mitigates credential stuffing; verify that no anti-automation control engages before concluding the endpoint is exposed.
• A non-production, sandbox, or intentionally public read-only endpoint may have rate limiting deliberately relaxed; confirm the endpoint serves real users or sensitive operations before assigning impact.

Remediation

• Enforce rate limiting on every internet-facing endpoint at the API gateway, reverse proxy, or framework layer, keying limits on the strongest available client identity (authenticated token or API key first, then IP) and returning HTTP 429 with a Retry-After header.
• Apply stricter, dedicated anti-automation limits to authentication, password-reset, OTP, and other sensitive endpoints, going beyond ordinary API throttling as OWASP recommends for these high-value flows.
• Add credential-stuffing defenses that do not rely on per-IP limits alone: enforce or step up multi-factor authentication, implement progressive delays and account lockout on repeated failures, and check submitted passwords against known-breached lists.
• Constrain resource cost per request by validating and capping payload size, pagination limits, query depth and complexity (for GraphQL), and the number of batched operations, addressing the resource-consumption side of OWASP API4:2023.
• Set spending limits and billing alerts on metered third-party services (SMS, email, cloud egress and compute) so an abuse spike cannot translate into unbounded cost.
• Monitor and alert on 429 rates, per-client request volume, and authentication failure spikes, then feed this telemetry back into tuning thresholds and triggering graduated responses.

Operational checklist

• Maintain a living inventory of all public API endpoints and require that each new or changed route ships with an explicit, attached rate-limiting policy before release.
• Default-deny on rate limits: new endpoints inherit a sensible global throttle unless a route-specific policy is defined, so nothing reaches production unthrottled by omission.
• Hold authentication, reset, and OTP endpoints to a stricter standard with lockout/backoff plus MFA, and review these controls whenever the auth flow changes.
• Continuously scan the external surface for endpoints that return no 429 or rate-limit headers under controlled bursts, including legacy and versioned paths.
• Configure billing alerts and hard spending caps on all metered downstream services consumed by APIs.
• Track 429 volume, top talkers, and login-failure ratios on a dashboard and alert on anomalous spikes that indicate stuffing, scraping, or DoS in progress.

Weakness references (CWE)

• CWE-770 — Allocation of Resources Without Limits or Throttling
• CWE-799 — Improper Control of Interaction Frequency