🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Missing Throttlling

When applications fail to enforce throttling or rate limiting on incoming requests, adversaries can issue a large number of repetitive requests in a short time. This can exhaust system resources and cause denial of service, or allow large-scale attacks such as credential stuffing, brute-force authentication, and mass data scraping. Without proper limits, attackers can automate abuse at scale with little resistance.

Remediation

  • Apply rate limiting on all exposed endpoints (REST, GraphQL, gRPC, etc.) according to business requirements and acceptable usage thresholds.
  • Implement dynamic throttling strategies such as IP-based, user-based, or token-based limits.
  • Use exponential backoff or progressive delays after repeated requests to make automation less effective.
  • Monitor for distributed attack patterns (e.g., botnets) and combine rate limiting with anomaly detection.
  • Consider CAPTCHAs or secondary challenges for endpoints prone to brute-force or scraping attacks.

Metadata

  • Severity: low
  • Slug: missing-throttlling

CWEs

  • 770: Allocation of Resources Without Limits or Throttling
  • 400: Uncontrolled Resource Consumption
  • 307: Improper Restriction of Excessive Authentication Attempts

OWASP

  • A05:2021: Security Misconfiguration

Available Labs

Open Javascript labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.