RATE01/02 Missing or Disabled Rate Limiting
This page covers:
- RATE01: Missing rate limiting on sensitive endpoints
- RATE02: Rate limiting present but disabled or ineffective
What this means
SiteShadow flagged endpoints (commonly login, password reset, token issuance, or public APIs) that can be
hit repeatedly without meaningful throttling.
Why it matters
Without rate limiting, attackers can brute-force credentials, enumerate accounts, or abuse expensive
endpoints to cause outages or unexpected cost.
Safer examples
1) Rate limit sensitive endpoints
Apply server-side limits per IP and per account (especially login/reset/token issuance).
2) Add progressive delays and attempt caps
Use exponential backoff, lockouts, or step-up verification after repeated failures.
3) Protect expensive operations
Add caching, request budgets, and timeouts on endpoints that are expensive to compute.
How SiteShadow detects it (high level)
- Detects auth and public endpoints that can be called repeatedly without visible throttling/attempt limits.
- Flags "unbounded attempts" patterns (e.g., OTP verification, password reset requests) and high-cost endpoints without guards.
References
- OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- OWASP API Security Top 10: https://owasp.org/www-project-api-security/
---