Back to list

Azure-hosted API Without Rate Limiting

Description

The Azure-hosted API does not implement rate limiting or throttling controls, allowing an unlimited number of requests to be sent in a short period. This can enable brute-force attacks, resource exhaustion, or denial-of-service (DoS) scenarios, especially in a cloud environment where the attacker can repeatedly invoke high-cost or data-intensive operations. Without rate limiting, attackers have a clearer path to overwhelm the backend, disrupt services, or exploit any functionality that scales with each request.

Remediation

Implement rate limiting or throttling at the API, gateway, or application level to restrict the number of requests over a given timeframe. Azure API Management services, Application Gateway, or custom middleware solutions can enforce such limits. Configure error responses or HTTP status codes (e.g., 429 Too Many Requests) for clients exceeding set thresholds. Regularly review logs and metrics to identify anomalous traffic spikes. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor suspicious request patterns targeting these publicly accessible endpoints. Periodically test and refine rate-limiting rules to strike the right balance between security and availability.

References

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-product-with-ratelimithttps://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks

Severity

MEDIUM

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification

CWE-400
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3

CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.3