API Security · beginner · ~9 min

Rate limiting and resource consumption

Explain why missing rate limits is an API risk and how it's tested.

Overview

Missing rate limiting (unrestricted resource consumption) amplifies brute force, enumeration, OTP-bypass, and enables cost/DoS. Test by hammering endpoints and checking for 429/lockouts and bypasses. Fix: server-side limits per identity and IP, lockouts/backoff, capped pagination, 429+Retry-After.

Why it matters

Rate limiting is the multiplier on other attacks — its absence turns a guessing weakness into a practical breach (password spraying, ID enumeration, OTP brute force) and creates direct DoS/cost risk.

Core concepts

Amplifier. Enables brute force/enumeration/OTP-bypass at scale. Cost/DoS. Unbounded expensive endpoints. Test. Burst requests; look for 429/lockout and bypasses (IP/header/version). Fix. Server-side per-identity+IP limits, backoff, caps, 429.

Lesson

Unrestricted resource consumption is its own entry in the OWASP API Top 10 — and missing rate limiting amplifies almost every other attack.

Why it matters

  • Brute force / credential stuffing: without throttling, an attacker tries millions of passwords or tokens.
  • Enumeration: BOLA/BFLA testing and ID harvesting scale freely when there's no limit.
  • Cost / DoS: unbounded expensive endpoints (search, export, image processing, LLM calls) run up cost or exhaust resources.
  • OTP/2FA bypass: unlimited code attempts defeat a 6-digit factor.

How to test

  • Send the same request many times rapidly; observe whether limits, lockouts, or 429 Too Many Requests kick in.
  • Check whether limits are per-account, per-IP, or absent — and whether they're bypassable (rotating IPs, changing a header, hitting a different endpoint/version for the same action).

The fix

  • Enforce limits server-side per identity and per IP, on sensitive and expensive endpoints especially.
  • Add lockouts/backoff on auth, cap response sizes/pagination, and budget expensive operations.
  • Return 429 with Retry-After. Don't rely on the client to throttle.

Summary

Unrestricted resource consumption is a first-class API risk and a force-multiplier for brute force and enumeration. Defend with server-side rate limits per identity and IP, lockouts, and capped expensive operations.

Practice with these exercises