Description

Unauthenticated users are allowed to consume this exposed endpoint, which does not implement any rate-limiting protection.

A malicious user could abuse this endpoint to incur significant resources consumtion and potentially disrupt your application.

Rationale

This finding works by:

• Identifying an API that lacks an authentication mechanism
• Is processing traffic from the internet.
• There is no business logic rate limiting rule associated with this endpoint

Remediation

• Set up rate-limiting using a detection rule on this API
• Implement authentication to prevent non-intended users interaction with the API
• Require a challenge to prevent automated traffic and slow down resource exhaustion
• Keep track of this business flow by adding business logic information to the endpoint