Title: ratelimit_authenticated Vulnerability on GET:/api/v1/transfers
Project: Devtest
Description:
Assertion
Name: RateLimit Authenticated ( 1 )
Overview: Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force. ( 1 )
This category is to check APIs that are secured and require users to authenticate before accessing APIs.
Severity: Lack of Resources and Rate Limiting is ranked at 4th position in OWASP API Security Top 10 2019. ( 1 )
Vulnerability Impact: Not having RateLimit in place, a malicious user can repeatedly farm APIs leading to following actions which can be detrimental to security posture of the company. ( 2 )
To perform Brute Force Attacks
Can strain and drain server resources leading to DoS and DDoS attack
Can perform Web-Scraping techniques to steal confidential data
Remediation: Based on the business need of the company, the following RateLimiting techniques may be employed.
User Rate Limiting: Associating the number of user requests made either from their API Key or IP address.
Geographic Rate Limiting: Rate limits can be set for particular regions and particular time periods.
Server Rate Limiting: Rate limits can be set on server level basis to ensure servers handle certain aspects of application.
Title: ratelimit_authenticated Vulnerability on GET:/api/v1/transfers Project: Devtest Description:
Assertion Name: RateLimit Authenticated ( 1 )
Overview: Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force. ( 1 )
This category is to check APIs that are secured and require users to authenticate before accessing APIs.
Severity: Lack of Resources and Rate Limiting is ranked at 4th position in OWASP API Security Top 10 2019. ( 1 )
Vulnerability Impact: Not having RateLimit in place, a malicious user can repeatedly farm APIs leading to following actions which can be detrimental to security posture of the company. ( 2 )
Remediation: Based on the business need of the company, the following RateLimiting techniques may be employed.
References:
Risk: ratelimit_authenticated Severity: Medium API Endpoint: http://netbanking.apisec.ai:8080/api/v1/transfers Environment: Master Playbook: ApiV1TransfersGetRatelimitAuthenticated Researcher: Default
QUICK TIPS
Suggestion: Effort Estimate: null Hrs Wire Logs:
IMPORTANT LINKS
Vulnerability Details: https://developer.apisec.ai/#/app/projects/8a74813e82019c24018201d4468d0224/dashboard/8a74813e82019c24018201db2999144c/details
Project: https://developer.apisec.ai/#/app/projects/8a74813e82019c24018201d4468d0224/dashboard
Environment: https://developer.apisec.ai/#/app/config-environments/projects/8a74813e82019c24018201d4468d0224/environmentList
Scan Dashboard: https://developer.apisec.ai/#/app/projects/8a74813e82019c24018201d4468d0224/profiles/8a74813e82019c24018201d4aefb070a/runs/8a74813e82019c24018201db1de41443
Playbook: https://developer.apisec.ai/#/app/projects/8a74813e82019c24018201d4468d0224/playbooks/ApiV1TransfersGetRatelimitAuthenticated
Coverage: https://developer.apisec.ai/#/app/config-categories/projects/8a74813e82019c24018201d4468d0224/categories
Code Sample: https://developer.apisec.ai/#/app/projects/8a74813e82019c24018201d4468d0224/dashboard/8a74813e82019c24018201db2999144c/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---