Skip to main content

Sensitive endpoint bruteforce

Description

During our security assessment, we identified a vulnerability in the rate-limiting mechanism of a public mutation endpoint. Multiple requests to this endpoint were made without triggering any rate-limiting defenses. This lack of rate limitation exposes the endpoint to brute force attacks, where an attacker could try numerous combinations of credentials or inputs to gain unauthorized access or disrupt services. Such vulnerabilities are critical, especially if the endpoint handles sensitive data or critical functions.

Remediation

To mitigate this vulnerability, it is crucial to implement an effective rate limiting mechanism on the mutation endpoint. This should include limiting the number of requests a user can make within a given time frame, and escalating restrictions for repeated violations. Consider using tools like Redis for efficient rate limiting. Additionally, implement alert mechanisms for unusual traffic patterns or repeated failed attempts, which can be early indicators of a brute force attack.

GraphQL Specific

Apollo

Implement rate limiting in Apollo Server to prevent brute force attacks. Use Apollo Server's built-in support for defining custom directives or integrate with existing rate-limiting libraries.

Yoga

Incorporate rate limiting in GraphQL Yoga by using middleware that can limit the number of requests a user can make to an endpoint.

Awsappsync

Utilize AWS AppSync's built-in features to set up rate limiting. Configure the AWS AppSync API to use API keys or AWS IAM permissions to control and limit access rates.

Graphqlgo

Implement rate limiting in your GraphQL Go server by using a middleware that can restrict the rate of incoming requests.

Graphqlruby

In GraphQL Ruby, use the built-in complexity and depth analysis to mitigate against brute force attacks by limiting the complexity of the queries that can be executed.

Hasura

Leverage Hasura's support for setting up rate limits on its actions and subscriptions to prevent abuse.

REST Specific

Asp.net

Use ASP.NET's built-in rate limiting features or third-party libraries like AspNetCoreRateLimit to prevent brute force attacks on endpoints.

Ruby on rails

In Ruby on Rails, use Rack::Attack or similar middleware to throttle requests and protect sensitive endpoints from brute force attacks.

Next.js

For Next.js applications, implement rate limiting using middleware or third-party libraries to protect API routes.

Laravel

Use Laravel's built-in rate limiting features to protect routes by limiting the number of requests that can be made within a certain time frame.

Express.js

Implement rate limiting in Express.js applications using the express-rate-limit middleware to prevent brute force attacks.

Django

In Django, use the django-ratelimit library to apply rate limiting to views and protect against brute force attacks.

Symfony

Utilize Symfony's rate limiter component to create custom rate limiting policies for your application's endpoints.

Spring boot

In Spring Boot, use a combination of HTTP request interceptors and a rate limiting service to protect your endpoints.

Flask

For Flask applications, use Flask-Limiter to add rate limiting capabilities to your endpoints.

Nuxt

In Nuxt.js, use middleware to implement rate limiting and protect your API routes from excessive requests.

Configuration

Identifier: access_control/sensitive_endpoint_bruteforce

Examples

Ignore this check

{
"checks": {
"access_control/sensitive_endpoint_bruteforce": {
"skip": true
}
}
}

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API3:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6.1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53

Classification

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • CVSS_SCORE: 5.3

References