Safeguard
Security

Rate Limiting Vulnerability: Why Missing Limits Are an OWASP Risk

A rate limiting vulnerability lets attackers hammer your endpoints unchecked, enabling brute force, credential stuffing, and resource exhaustion. Here is how to find and fix it.

Priya Mehta
Security Analyst
6 min read

A rate limiting vulnerability exists when an API or web endpoint accepts an unbounded number of requests from a single client without throttling, letting an attacker brute-force credentials, enumerate data, exhaust resources, or run up costs unchecked. The absence of a limit is itself the flaw. It rarely shows up as a dramatic crash; instead it quietly enables every other attack that depends on volume. OWASP treats it as a first-class API risk, and for good reason.

Why "no rate limiting" is on the OWASP list

The no rate limiting vulnerability has a formal home in the OWASP API Security Top 10. In the 2019 edition it was listed as API4:2019 Lack of Resources and Rate Limiting. The 2023 edition broadened and renamed it to API4:2023 Unrestricted Resource Consumption, reflecting that the problem is not only about request frequency but about any resource — CPU, memory, bandwidth, third-party API spend, SMS or email quota — that a client can consume without bound.

The rename matters. A no rate limit vulnerability today covers more than "too many requests per second." It includes a single request that asks for a million records, an upload with no size cap, or an endpoint that triggers an expensive downstream call every time it is hit. The unifying theme is the same: the server does not constrain what one client can consume.

What attackers do with an unthrottled endpoint

Missing rate limits are an amplifier. Each of these attacks is far harder — sometimes impractical — when limits are in place:

  • Credential stuffing and brute force. Without a limit, an attacker can try millions of username/password pairs or OTP codes against a login or verification endpoint. A six-digit code has only a million possibilities; unthrottled, that is minutes of work.
  • Data enumeration (scraping). An endpoint that returns one record per ID becomes a full-database export when an attacker walks the ID space at machine speed.
  • Resource exhaustion and denial of service. Flooding an expensive endpoint can degrade or take down the service for everyone. This is the classic no rate limiting vulnerability OWASP flags under unrestricted resource consumption.
  • Financial denial of service. If an endpoint triggers a metered downstream — sending SMS, calling a paid AI API, provisioning cloud resources — unlimited requests translate directly into a runaway bill.

Note the pattern: the login endpoint that is safe against a single guess is catastrophic against a million. Rate limiting is what keeps a small risk from scaling into a breach.

How to detect the vulnerability

Finding a rate limiting vulnerability is straightforward because you are testing for the absence of a control. Pick a sensitive endpoint and send a burst of requests, watching whether any get rejected:

# Fire 200 rapid requests at a login endpoint and tally the status codes.
# If you never see 429 (Too Many Requests), there is likely no limit.
for i in $(seq 1 200); do
  curl -s -o /dev/null -w "%{http_code}\n" \
    -X POST https://api.example.com/login \
    -d '{"user":"test","pass":"wrong"}' \
    -H "Content-Type: application/json"
done | sort | uniq -c

If every response comes back 200/401 and never 429, the endpoint is unthrottled. Do this only against systems you own or are authorized to test. A dynamic scanner automates this across an entire API surface and flags endpoints that never return a throttling response, along with endpoints missing size caps on request bodies.

Also check the flip side: many teams add a limit but forget to key it correctly. A limit keyed only on IP address is trivially bypassed with a rotating proxy pool, and a limit that resets per-connection does nothing against a persistent client.

Fixing it properly

Effective rate limiting is layered and keyed on the right identity. A few principles that hold up in production:

  1. Limit at the edge and in the app. An API gateway or reverse proxy should enforce coarse global limits, while the application enforces fine-grained, business-aware limits on sensitive actions like login and password reset.
  2. Key on the strongest available identity. For authenticated calls, key on the user or API key, not just the IP. For anonymous flows like login, combine IP with account identifier so one account cannot be brute-forced from many IPs and one IP cannot brute-force many accounts.
  3. Return 429 with a Retry-After header. Well-behaved clients back off; attackers at least get slowed.
  4. Cap resource consumption, not just request count. Enforce maximum page sizes, request body limits, and query complexity limits so a single request cannot consume unbounded work. This is the heart of the API4:2023 framing.

A typical token-bucket configuration at a gateway might read:

# Illustrative gateway policy
rate_limit:
  key: "$http_authorization"   # per API key, not per IP
  requests_per_minute: 60
  burst: 10
  on_exceeded: 429

For login specifically, add progressive delays or temporary lockouts after repeated failures, and consider a CAPTCHA or step-up challenge once a threshold is crossed. The Safeguard Academy has a deeper walkthrough of layering these controls without hurting legitimate users.

Watch the exceptions

The most common way a rate limit fails in practice is an unguarded path that bypasses it: an internal admin endpoint, a legacy API version, a webhook receiver, or a GraphQL resolver that batches many operations into one HTTP request. Inventory every entry point and confirm the limit applies to each, because attackers specifically hunt for the one endpoint the policy forgot. A single unthrottled route reopens the entire vulnerability.

FAQ

What is a rate limiting vulnerability?

It is the condition where an endpoint accepts unlimited requests or unbounded resource consumption from a client without throttling, enabling brute force, enumeration, denial of service, and cost-based attacks. The missing control is the vulnerability itself.

Where does OWASP cover no rate limiting?

In the OWASP API Security Top 10. It was API4:2019 Lack of Resources and Rate Limiting, renamed and broadened in the 2023 edition to API4:2023 Unrestricted Resource Consumption.

What status code should a rate-limited request return?

HTTP 429 Too Many Requests, ideally with a Retry-After header telling the client when to try again. If you burst-test an endpoint and never see 429, it is probably unthrottled.

Is limiting by IP address enough?

No. IP-based limits are bypassed with proxy or botnet rotation, and they can punish users sharing a NAT gateway. Key limits on the authenticated user or API key where possible, and for login combine IP with the account identifier.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.