Missing 429 response

owasp:api4:2019-rate-limit-response-429

Rule Severity:

High

Ensure API specifications include definitions for 429 responses.
This rule applies at the API Specification level (OAS/Swagger).
APIs endpoints that do not return HTTP status codes descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.
When designing or consuming an API, one of the primary concerns is the predictability and reliability of communication between the client and server. At the heart of this predictability lies the many different HTTP status codes, which inform the client about the outcome of its requests. The 429 Too Many Requests response is among these status codes. This response is indicative of rate limiting, which is a common strategy used by API providers to prevent abuse and overuse of resources. This mechanism ensures fair usage, guards against unintentional programming errors that might flood an API, and protects backend services from becoming overwhelmed, thereby preventing degradation in service quality. Including a definition for the 429 response in API specifications will explicitly communicate to consumers of an API the possibility that they might be rate-limited. This not only sets clear expectations but also prompts developers to handle such scenarios gracefully in their applications. If an API client is unaware of the potential for a 429 response, error handling may not be graceful, leading to unpredictable behavior and potential failures in real-world scenarios.

Example Attack Scenario

Brute Force Attacks: Without rate limiting enforced by a 429 response, attackers can conduct brute force attacks more efficiently. For example, they can repeatedly attempt to log in with different credentials or submit requests to vulnerable endpoints at a rapid pace, increasing the likelihood of successfully guessing passwords or exploiting vulnerabilities.

1. How to Identify with Example Scenario

responses:  
 '200'
 # missing '429' response definition 
  description: OK
  content:      
   text/plain:       
    schema:          
     type: string

1. How to Resolve with Example Scenario

responses:  
 '429':
  description: 
   Too Many Requests # a description is required    
  content:      
   text/plain:       
    schema:          
     type: string

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings