Set a rate limit
Summary
The server must have a rate limit to control interaction frequency.
Description
Several attacks depend on executing a huge amount of requests from a single host. For instance, it is possible to exhaust a server's connection pool with a single machine by using asynchronous requests, effectively causing a Denial of Service (DoS). These and other attacks, such as the ones depending on brute force, can be thwarted, or severely hindered, by limiting the number of requests that a single host can send to the server in a short period of time. Therefore, server settings should include a rate limit that considers a regular request flow between a host and the server.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-49. Password brute forcing
- CAPEC™-125. Flooding
- CAPEC™-130. Excessive allocation
- CWE™-307. Improper restriction of excessive authentication attempts
- CWE™-770. Allocation of resources without limits or throttling
- CWE™-799. Improper control of interaction frequency
- OWASP TOP 10-A4. Insecure design
- Agile Alliance-11. Best architectures, requirements, and designs
- ISA/IEC 62443-RA-7_1. Denial of service protection
- WASSEC-6_2_1_1. Authentication - Brute force
- OSSTMM3-9_9_1. Wireless security (configuration verification) - Common errors
- WASC-A_11. Brute force
- WASC-A_10. Denial of service
- WASC-A_34. Predictable resource location
- ISSAF-E_22. Network security - Switch security assessment (layer 2 port authentication)
- ISSAF-H_14_13. Network security - Intrusion detection (detection engine)
- ISSAF-P_4. Host security - Linux security (identify ports and services)
- ISSAF-Q_8_6_1. Host security - Windows security (brute force passwords or remote attack)
- ISSAF-T_11_1. Web application assessment - Brute force attack
- ISSAF-T_16_2. Web application assessment - Input Validation (test buffer overflow)
- OWASP MASVS-V4_6. Authentication and session management requirements
- OWASP MASVS-V8_1. Resilience requirements - Impede dynamic analysis and tampering
- NIST 800-115-4_2. Network port and service identification
- OWASP ASVS-5_1_2. Input validation
- OWASP ASVS-11_1_2. Business logic security
- OWASP ASVS-11_1_3. Business logic security
- OWASP ASVS-11_1_4. Business logic security
- CASA-5_1_2. Input Validation
- CASA-11_1_4. Business Logic Security
Vulnerabilities
- 002. Asymmetric denial of service
- 003. Symmetric denial of service
- 047. Automatic information enumeration
- 053. Lack of protection against brute force attacks
- 057. Asymmetric denial of service - Content length
- 108. Improper control of interaction frequency
- 122. Email flooding
- 211. Asymmetric denial of service - ReDoS
- 231. Message flooding
- 252. Automatic information enumeration - Open ports
- 253. Automatic information enumeration - AWS
- 254. Automatic information enumeration - Credit Cards
- 330. Lack of protection against brute force attacks - Credentials
- 356. Symmetric denial of service - SMTP
- 357. Symmetric denial of service - FTP
- 423. Inappropriate coding practices - System exit
- 442. SMTP header injection
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.