No Rate Limiting on Registration

Description

We have seen What Rate Limiting is.

Let's see how Rate limiting on Registration is essential.

Our website has User Registration functionality or any other registration functionality. The user will fill the form and click the submit button.

Then, the server will create an account with given details and assign a unique user id to it.

If there is no rate limit on that registration form, the Attacker can write a simple script that automatically fills the form with random content and submit it.

So, within a minimal amount of time, the Attacker can create a large number of fake accounts on our website, which we don't want.

Example

Give Real example here

Impact

  • Unnecessary resources will be wasted on such requests.
  • Denial of service attack can be possible.

Prevention

  • Implement rate-limiting in your application based on source IP as well as active session.
  • Block that IP / Session if you are getting multiple requests even after sending 429 Too Many Requests response.