Description

This API makes use of third-party services paid for per request and does not implement any rate-limiting protection.

A malicious user could abuse this endpoint to incur significant costs, exceed your quota, and potentially disrupt your application.

Rationale

This finding works by:

• Identify an endpoint using a third-party paid service as a part of its operations, see the following list of services that fall in this category.
• There is no business logic rate limiting rule associated with this endpoint

Remediation

• Set up rate-limiting using a detection rule on this API.
• Require a challenge to prevent automated traffic and slow down resource exhaustion
• Keep track of this sensitive business flow by adding business logic information to the endpoint