Unauthenticated route without rate limit

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Unauthenticated users are allowed to consume this exposed endpoint, which does not implement any rate-limiting protection.

A malicious user could abuse this endpoint to incur significant resources consumtion and potentially disrupt your application.

Rationale

This finding works by:

  • Identifying an API that lacks an authentication mechanism
  • Is processing traffic from the internet.
  • There is no business logic rate limiting rule associated with this endpoint

Remediation

  • Set up rate-limiting using a detection rule on this API
  • Implement authentication to prevent non-intended users interaction with the API
  • Require a challenge to prevent automated traffic and slow down resource exhaustion
  • Keep track of this business flow by adding business logic information to the endpoint