search

stefanprodan / WebApiThrottle

ASP.NET Web API rate limiter for IIS and Owin hosting
MIT License
1.28k stars 274 forks source link

Security hole when using ClientKey white listing #132

Open lukaskolafa opened 5 years ago

lukaskolafa commented 5 years ago

Hello,

I fear I found a security hole in the white list feature by ClientKeys. In order to make this configuration to work:

<whitelists>
       <add policyType="2" entry="some-user" />
</whitelists>

you have to configure this setting:

  <throttlePolicy clientThrottling="true">

whithout enabled clientThrottling, the whitelists are ignored.

The problem with that is that enabling clientThrottling is IMHO a security hole because this allows the hackers bypassing the throttling by sending random clientIds.

It would be great if the ClientKey white lists would work as well without enabled clientThrottling.

many thanks for the great project and your support!

best Lukas