19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# File 'lib/API_Fuzzer/rate_limit_check.rb', line 19
def self.fuzz_api_requests(method)
initial_response = fetch_initial_response(method)
responses = []
@limit.times do
responses << API_Fuzzer::Request.send_api_request(
url: @url,
method: method,
cookies: @cookies,
headers: @headers,
params: @params
)
end
vulnerable = true
responses.each do |response|
if response.code == initial_response.code
content_length = response_content_length(response)
initial_content_length = response_content_length(initial_response)
if content_length != initial_content_length
vulnerable = false
break
end
else
vulnerable = false
break
end
end
@vulnerabilities << API_Fuzzer::Vulnerability.new(
description: "API is not rate limited for #{method} #{@url}",
value: "API doesn't have any ratelimiting protection enabled which can be implemented by either throttling request or using captcha",
type: 'LOW'
) if vulnerable
end
|