Add Rate Limiting to specific endpoints - huntr.dev #177
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/arjunshibu has fixed the Lack of Rate Limiting vulnerability 馃敤. arjunshibu has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/traduora/3/README.md
User Comments:
馃搳 Metadata *
Traduora is a translation management platform for teams. Once you setup your project you can import and export your translations to various formats, work together with your team, instantly deliver translation updates over the air, and soon automatically translate your project via third-party integrations.
Bounty URL: https://www.huntr.dev/bounties/3-other-traduora
鈿欙笍 Description *
Lack of Rate Limiting in the login page of traduora.
馃捇 Technical Description *
Traduora uses a weak algorithm to implement rate limiting, which only tried to protect against incoming requests issued to
/api/v1/auth/token
. This fix uses the express-rate-limit package. I've implemented the rate limiter as a global middleware so all the/api
endpoints are protected.馃悰 Proof of Concept (PoC) *
Existing Protection
Bypass
馃敟 Proof of Fix (PoF) *
After fix, all the API endpoints are protected with rate limiting.
+1 User Acceptance Testing (UAT)