Access Control: Sensitive endpoint bruteforce¶

Identifier: sensitive_endpoint_bruteforce

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

If an endpoint doesn't limit how often users can send requests, attackers can flood it with attempts until they succeed in guessing valid credentials or other secret information. This oversight usually comes from developers assuming that other parts of the system handle such checks or by not properly implementing rate limiting at this point. Without proper limits, a bad actor can effectively try countless variations, which could eventually lead to unauthorized access or service disruptionespecially dangerous when sensitive data or critical functions are exposed.

References:

https://developer.redis.com/howtos/ratelimiting/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  sensitive_endpoint_bruteforce:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.