A number of our clients have had Pen tests recently which have come back with issues around rate limiting on the forms.
This Includes the Statamic login and password reset forms.
It would be great to be able to adjust this within Statamic rather than having to make changes in Laravel.
Details from the Pen Test
The team sent multiple requests to the endpoint with the same contact information and the server sends 200 OK responses every time.
An attacker can exploit the absence of a rate limit to increase resource consumption, leading to a potential Denial of Service (DoS).
During the assessment process, it was observed that the application lacks rate-limiting in the instances related to login and contact forms.
Recommendations
To mitigate the risk of this issue, the assessment team recommends the following steps:
● Monitoring API activity against rate limit.
● Catching errors caused by rate-limiting.
● Reducing the number of requests allowed.
A number of our clients have had Pen tests recently which have come back with issues around rate limiting on the forms.
This Includes the Statamic login and password reset forms.
It would be great to be able to adjust this within Statamic rather than having to make changes in Laravel.
Details from the Pen Test
The team sent multiple requests to the endpoint with the same contact information and the server sends 200 OK responses every time. An attacker can exploit the absence of a rate limit to increase resource consumption, leading to a potential Denial of Service (DoS).
During the assessment process, it was observed that the application lacks rate-limiting in the instances related to login and contact forms.
Recommendations To mitigate the risk of this issue, the assessment team recommends the following steps: ● Monitoring API activity against rate limit. ● Catching errors caused by rate-limiting. ● Reducing the number of requests allowed.