Lack of Resources and Rate Limiting

Check List

Methodology

Black Box

Rate Limiting Password Reset Functionalities

1

Log into the target site and intercept requests using Burp Suite

2

Go to the Forgot Password page and complete the request process

3

Then, using the Burp Suite tool, inspect the requests and identify whether the password reset process is performed using API endpoints

4

If the password forget process was performed using API endpoints, then send the API request to Intruder in the Burp Suite tool, then send 200 requests to the Endpoint API

5

If after sending all 200 requests, you get a status code of 200 in response to the server, and not a 429, the vulnerability is confirmed

---

API Brute Force on Login Endpoint

1

Identify API login endpoint, Intercept normal request

POST /api/login HTTP/1.1
Host: target.com
Content-Type: application/json

{"username":"victim","password":"WrongPass1"}

2

Send request to Burp Intruder and Set payload position on password parameter

3

Configure multiple password attempts, Start attack with high request rate

4

Monitor responses, If API consistently returns 200 or 401 without delay, CAPTCHA, or lockout after numerous attempts, rate limiting is absent

5

If no temporary block or IP restriction occurs after hundreds of requests, brute-force protection is missing

---

High-Volume API Abuse (DoS Vector)

1

Identify search or heavy-processing endpoint

GET /api/search?q=test HTTP/1.1
Host: target.com
Authorization: Bearer token123

2

Send request to Turbo Intruder, Increase concurrent requests significantly

3

Monitor response times and status codes, If server continues processing without throttling, queueing, or 429 responses, no resource control is enforced

4

If high traffic causes degradation without triggering protective mechanisms, resource exhaustion risk exists

5

If API lacks request quotas per user/IP and allows uncontrolled request volume, Lack of Resources and Rate Limiting vulnerability is confirmed

---

White Box

Cheat Sheet