Skip to main content

Sensitive endpoint bruteforce


During our security assessment, we identified a vulnerability in the rate-limiting mechanism of a public mutation endpoint. Multiple requests to this endpoint were made without triggering any rate-limiting defenses. This lack of rate limitation exposes the endpoint to brute force attacks, where an attacker could try numerous combinations of credentials or inputs to gain unauthorized access or disrupt services. Such vulnerabilities are critical, especially if the endpoint handles sensitive data or critical functions.


To mitigate this vulnerability, it is crucial to implement an effective rate limiting mechanism on the mutation endpoint. This should include limiting the number of requests a user can make within a given time frame, and escalating restrictions for repeated violations. Consider using tools like Redis for efficient rate limiting. Additionally, implement alert mechanisms for unusual traffic patterns or repeated failed attempts, which can be early indicators of a brute force attack.

GraphQL Specific


Implement rate limiting in Apollo Server to prevent brute force attacks. Use Apollo Server's built-in support for defining custom directives or integrate with existing rate-limiting libraries.


Incorporate rate limiting in GraphQL Yoga by using middleware that can limit the number of requests a user can make to an endpoint.


Utilize AWS AppSync's built-in features to set up rate limiting. Configure the AWS AppSync API to use API keys or AWS IAM permissions to control and limit access rates.


Implement rate limiting in your GraphQL Go server by using a middleware that can restrict the rate of incoming requests.


In GraphQL Ruby, use the built-in complexity and depth analysis to mitigate against brute force attacks by limiting the complexity of the queries that can be executed.


Leverage Hasura's support for setting up rate limits on its actions and subscriptions to prevent abuse.

REST Specific

Use ASP.NET's built-in rate limiting features or third-party libraries like AspNetCoreRateLimit to prevent brute force attacks on endpoints.

Ruby on rails

In Ruby on Rails, use Rack::Attack or similar middleware to throttle requests and protect sensitive endpoints from brute force attacks.


For Next.js applications, implement rate limiting using middleware or third-party libraries to protect API routes.


Use Laravel's built-in rate limiting features to protect routes by limiting the number of requests that can be made within a certain time frame.


Implement rate limiting in Express.js applications using the express-rate-limit middleware to prevent brute force attacks.


In Django, use the django-ratelimit library to apply rate limiting to views and protect against brute force attacks.


Utilize Symfony's rate limiter component to create custom rate limiting policies for your application's endpoints.

Spring boot

In Spring Boot, use a combination of HTTP request interceptors and a rate limiting service to protect your endpoints.


For Flask applications, use Flask-Limiter to add rate limiting capabilities to your endpoints.


In Nuxt.js, use middleware to implement rate limiting and protect your API routes from excessive requests.


Identifier: access_control/sensitive_endpoint_bruteforce


Ignore this check

"checks": {
"access_control/sensitive_endpoint_bruteforce": {
"skip": true


  • Escape Severity: MEDIUM


  • OWASP: API3:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6.1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53



  • CVSS_SCORE: 5.3