During our penetration test, we found that there is Insufficient rate limiting (email), please below detailed information.
Do you have suggestions on how we can overcome this situation?
Description:
There is no limit on the number of times a certain functionality can be requested.
Exploit preconditions:
The attacker needs to have access to the application and be on the internal network.
Impact:
Using it multiple times in a row may cause a (partial) denial-of-service. Since the functionality communicates with external services (such as an email provider), using it multiple times in a row may cause the application to become blacklisted or it a high financial cost. And since the functionality sends messages (such as e-mail), using it multiple times in a row may inconvenience regular users.
Recommendations:
Implement sensible rate limiting so that an attacker cannot abuse functionality by using it multiple times in a row.
During our penetration test, we found that there is Insufficient rate limiting (email), please below detailed information.
Do you have suggestions on how we can overcome this situation?
Description:
There is no limit on the number of times a certain functionality can be requested.
Exploit preconditions:
The attacker needs to have access to the application and be on the internal network.
Impact:
Using it multiple times in a row may cause a (partial) denial-of-service. Since the functionality communicates with external services (such as an email provider), using it multiple times in a row may cause the application to become blacklisted or it a high financial cost. And since the functionality sends messages (such as e-mail), using it multiple times in a row may inconvenience regular users.
Recommendations:
Implement sensible rate limiting so that an attacker cannot abuse functionality by using it multiple times in a row.