Post cover image

June 16, 2026

Research On No Rate Limit Issues

INTRODUCTION

FARAZ A.K

5 min read

INTRODUCTION

In today's digital world, web applications provide various services such as online banking, ecommerce, social networking, education, healthcare, and government services. These applications receive and process thousands of requests from users every day. While most requests come from legitimate users, attackers may attempt to abuse application functionality by sending excessive numbers of requests within a short period of time.

To protect applications from such abuse, developers implement a security mechanism known as Rate Limiting. Rate limiting controls how many requests a user can make during a specific time period. It helps prevent attacks such as brute-force attacks, credential stuffing, API abuse, denial-of-service attacks, and email bombing.

When an application fails to implement proper rate limiting, attackers can repeatedly access sensitive functionality without restrictions. This vulnerability is known as a No Rate Limit Issue. Such vulnerabilities can have serious consequences, including service disruption, resource exhaustion, account compromise attempts, and excessive email generation.

This report discusses the concept of rate limiting, its working mechanism, the risks associated with missing rate limits, the impact of No Rate Limit vulnerabilities, and how the absence of rate limiting on Forgot Password functionality can lead to Email Bombing attacks.

WHAT IS RATE LIMIT?

Rate limiting is a security control used to restrict the number of requests a user, device, account, or IP address can make to a server within a specified period of time.

The primary purpose of rate limiting is to prevent abuse and ensure fair usage of application resources. Without rate limiting, attackers could continuously send requests and overwhelm the application.

Rate limiting acts as a protective barrier between users and the server. It ensures that no user can excessively consume resources or abuse application functionality.

For example, a website may allow:

  • 5 login attempts per minute
  • 10 password reset requests per hour
  • 100 API requests per minute
  • 20 registration attempts per day

If a user exceeds these limits, the server may temporarily block additional requests or delay processing. Rate limiting is widely used in web applications, mobile applications, APIs, cloud services, and authentication systems to maintain security and availability.

Example : Suppose a login page allows only five login attempts per minute. Attempt 1 → Allowed Attempt 2 → Allowed Attempt 3 → Allowed Attempt 4 → Allowed Attempt 5 → Allowed Attempt 6 → Blocked This prevents attackers from rapidly attempting many passwords.

HOW DOES RATE LIMITING WORK?

Rate limiting works by tracking the number of requests made by users and comparing them against predefined limits.

The application identifies users through:

  • IP Address
  • User Account
  • Session ID
  • API Key
  • Device Identifier Every request is recorded by the server.

When a request arrives, the server checks whether the user has exceeded the allowed limit.

Basic Working Process :

  1. User sends a request.
  2. Server receives the request.
  3. Server checks previous requests from the same source.
  4. Request count is compared with the configured limit.
  5. If within limits, the request is processed.
  6. If the limit is exceeded, the request is rejected or delayed.

Example Assume: Allowed Requests = 10 Time Window = 60 Seconds The server will process the first ten requests normally. Request 1 → Allowed Request 2 → Allowed Request 3 → Allowed …Request 10 → Allowed Request 11 → Blocked

Common Rate Limiting Methods

Fixed Window :

A fixed number of requests are allowed during a specific time period.

Example: 100 Requests Per Hour Once the limit is reached, additional requests are blocked until the next hour.

Sliding Window :

The system continuously evaluates requests over a moving time period. This method provides more accurate protection and prevents attackers from abusing fixed time boundaries.

Token Bucket :

Users receive tokens at a fixed rate. Each request consumes one token. If no tokens remain, requests are denied.

Leaky Bucket :

Requests are processed at a constant rate. Excess requests are delayed or discarded. This method prevents sudden traffic spikes.

WHAT IS NO RATE LIMIT?

A No Rate Limit vulnerability occurs when an application does not impose restrictions on how frequently a user can perform an action. In such situations, attackers can repeatedly perform sensitive operations without any restrictions.

Examples include:

  • Unlimited login attempts
  • Unlimited OTP generation
  • Unlimited password reset requests
  • Unlimited account registrations
  • Unlimited API requests

The absence of rate limiting significantly increases the risk of abuse and automated attacks.

Example : Consider a Forgot Password feature. A normal user may request a password reset once or twice. Without rate limiting: Request 1 → Email Sent Request 2 → Email Sent Request 3 → Email Sent Request 100 → Email Sent Request 1000 → Email Sent

The application continues processing requests without restriction. This behavior can be abused by attackers.

Why No Rate Limit Is Dangerous

When no restrictions exist:

  • Attackers can automate requests.
  • Resources are consumed unnecessarily.
  • Users may experience service disruptions.
  • Sensitive functions become vulnerable to abuse.

IMPACTS OF NO RATE LIMIT

The absence of rate limiting can lead to multiple security and operational issues.

Brute Force Attacks

Attackers may repeatedly attempt different passwords against user accounts. Without rate limiting, thousands of password attempts can be made within a short period. Impact

  • Unauthorized access
  • Account compromise
  • Data theft

Credential Stuffing Attacks

Attackers use leaked username-password combinations obtained from previous breaches. Automated tools can rapidly test these credentials.

Impact

  • Unauthorized account access
  • Identity theft
  • Privacy violations

OTP Abuse

Applications that send OTPs may be abused by repeatedly generating codes. Impact

  • SMS flooding
  • Increased costs
  • Poor user experience

Resource Exhaustion

Excessive requests consume server resources.

Impact

  • High CPU usage
  • Increased memory consumption
  • Reduced application performance

API Abuse

APIs can be repeatedly accessed without restrictions.

Impact

  • Service degradation
  • Increased infrastructure costs
  • Data scraping

Email Bombing

Attackers repeatedly trigger email generation functions.

Impact

  • Inbox flooding
  • Loss of productivity
  • User frustration

User Enumeration

Attackers can rapidly test usernames and email addresses.

Impact

  • Discovery of valid accounts
  • Preparation for targeted attacks

Denial of Service (DoS)

Large numbers of requests may overwhelm application resources.

Impact

  • Reduced service availability
  • System instability • Downtime

Financial Loss

Organizations may incur additional expenses.

Examples:

  • SMS costs
  • Email service costs
  • Infrastructure scaling costs

Reputation Damage

Repeated abuse may affect user trust.

Impact

  • Negative publicity
  • Customer dissatisfaction
  • Reduced confidence in security

HOW NO RATE LIMIT ON FORGOT PASSWORD LEADS TO EMAIL BOMBING

The Forgot Password feature allows users to reset their passwords when they forget them. Normally, the process works as follows:

  1. User enters an email address.
  2. Application verifies the account.
  3. Password reset email is sent.
  4. User resets the password.

This functionality is designed to help legitimate users recover access to their accounts. However, if rate limiting is not implemented, attackers can repeatedly trigger password reset requests for the same email address.

Example Scenario : An attacker discovers a victim's email address: victim@example.com The attacker repeatedly submits password reset requests. Each request generates a new password reset email. The application continues sending emails because no rate limit exists.

Consequences of Email Bombing

Inbox Flooding : The victim receives hundreds or thousands of emails.

Important Emails Become Hidden : Legitimate emails may be buried under password reset messages.

User Frustration : Users become overwhelmed by excessive notifications.

Increased Operational Costs : The organization consumes email service resources unnecessarily.

Potential Distraction : Attackers may use email flooding to distract victims from noticing other suspicious activity.

Prevention Organizations should implement:

  • Rate limiting
  • CAPTCHA
  • Request throttling
  • Monitoring and alerting
  • Temporary request cooldowns
  • Multi-factor authentication
  • Account protection mechanisms

Importance of Addressing No Rate Limit Issues

Rate limiting is an essential security mechanism that helps protect web applications from excessive and malicious requests. When rate limiting is not implemented, attackers can automate activities such as brute-force attacks, credential stuffing, account enumeration, and API abuse, potentially leading to unauthorized access, data exposure, and service disruption.

Regular security assessments help organizations identify missing or ineffective rate-limiting controls before they can be exploited. By continuously evaluating authentication endpoints, APIs, and other critical application functions, organizations can reduce the risk of automated attacks and improve their overall security posture. Many organizations also collaborate with penetration testing vendors to identify and remediate security weaknesses, including rate-limiting issues, before they can be leveraged by attackers.

CONCLUSION

Rate limiting is a critical security control that protects web applications from abuse and automated attacks. By restricting the number of requests users can perform within a specific period, organizations can reduce the risk of brute-force attacks, credential stuffing, API abuse, denial-of-service attacks, and email bombing.

A No Rate Limit vulnerability occurs when applications fail to enforce these restrictions. As a result, attackers can repeatedly abuse sensitive functionality, causing service disruption, resource exhaustion, and user inconvenience.

One of the most common consequences of missing rate limits is email bombing through the Forgot Password feature. Attackers can repeatedly trigger password reset requests and flood a victim's inbox with thousands of emails.

To protect users and maintain application security, organizations must implement strong rate limiting mechanisms, CAPTCHA protections, monitoring systems, request throttling, and secure development practices.

REFERENCES