Security Test: Sensitive endpoint bruteforce¶

Description¶

Default Severity:

If an endpoint doesn't limit how often users can send requests, attackers can flood it with attempts until they succeed in guessing valid credentials or other secret information. This oversight usually comes from developers assuming that other parts of the system handle such checks or by not properly implementing rate limiting at this point. Without proper limits, a bad actor can effectively try countless variations, which could eventually lead to unauthorized access or service disruption—especially dangerous when sensitive data or critical functions are exposed.

Reference:

https://developer.redis.com/howtos/ratelimiting/

Configuration¶

Identifier: access_control/sensitive_endpoint_bruteforce

Examples¶

All configuration available:

checks:
  access_control/sensitive_endpoint_bruteforce:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API3:2023
OWASP LLM Top 10	LLM04:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-7`
CWE	`307`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
CVSS Score	`5.3`