SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

RATE01/02 Missing or Disabled Rate Limiting

This page covers:

What this means

SiteShadow flagged endpoints (commonly login, password reset, token issuance, or public APIs) that can be

hit repeatedly without meaningful throttling.

Why it matters

Without rate limiting, attackers can brute-force credentials, enumerate accounts, or abuse expensive

endpoints to cause outages or unexpected cost.

Safer examples

1) Rate limit sensitive endpoints

Apply server-side limits per IP and per account (especially login/reset/token issuance).

2) Add progressive delays and attempt caps

Use exponential backoff, lockouts, or step-up verification after repeated failures.

3) Protect expensive operations

Add caching, request budgets, and timeouts on endpoints that are expensive to compute.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.