Merge pull request #9 from lalithr95/rate-limit

lalithr95 · web-flow · commit 674f396c9753 · 2016-10-03T05:35:04.000+05:30
implement api rate limiting check
diff --git a/lib/API_Fuzzer.rb b/lib/API_Fuzzer.rb
@@ -9,6 +9,7 @@
 require 'API_Fuzzer/xxe_check'
 require 'API_Fuzzer/redirect_check'
 require 'API_Fuzzer/idor_check'
+require 'API_Fuzzer/rate_limit_check'
 
 module API_Fuzzer
   # Scans all the checks
@@ -22,6 +23,7 @@ def self.scan(options = {})
     vulnerabilities << API_Fuzzer::SqlBlindCheck.scan(options)
     vulnerabilities << API_Fuzzer::RedirectCheck.scan(options)
     vulnerabilities << API_Fuzzer::IdorCheck.scan(options)
+    vulnerabilities << API_Fuzzer::RateLimitCheck(options)
     API_Fuzzer::XxeCheck.scan(options)
     vulnerabilities.uniq.flatten
   end
diff --git a/lib/API_Fuzzer/rate_limit_check.rb b/lib/API_Fuzzer/rate_limit_check.rb
@@ -0,0 +1,66 @@
+require 'API_Fuzzer/vulnerability'
+require 'API_Fuzzer/request'
+
+module API_Fuzzer
+  class RateLimitCheck
+    def self.scan(options = {})
+      @url = options[:url]
+      @params = options[:params] || {}
+      @cookies = options[:cookies] || {}
+      @vulnerabilities = []
+      @limit = options[:limit] || 50
+      @methods = options[:method] || [:get]
+
+      @methods.each { |method| fuzz_api_requests(method) }
+      @vulnerabilities.uniq { |vuln| vuln.description }
+    end
+
+    def self.fuzz_api_requests(method)
+      initial_response = fetch_initial_response(method)
+
+      responses = []
+      @limit.times do
+        responses << API_Fuzzer::Request.send_api_request(
+          url: @url,
+          method: method,
+          cookies: @cookies,
+          params: @params
+        )
+      end
+
+      vulnerable = true
+      responses.each do |response|
+        if response.code  == initial_response.code
+          content_length = response_content_length(response)
+          initial_content_length = response_content_length(initial_response)
+          if  content_length != initial_content_length
+            vulnerable = false
+            break
+          end
+        else
+          vulnerable = false
+          break
+        end
+      end
+      @vulnerabilities << API_Fuzzer::Vulnerability.new(
+        description: "API is not rate limited for #{method} #{@url}",
+        value: "API doesn't have any ratelimiting protection enabled which can be implemented by either throttling request or using captcha",
+        type: 'LOW'
+      ) if vulnerable
+    end
+
+    private
+    def self.fetch_initial_response(method)
+      API_Fuzzer::Request.send_api_request(
+        url: @url,
+        method: method,
+        cookies: @cookies,
+        params: @params
+      )
+    end
+
+    def self.response_content_length(response)
+      response.headers['Content-Length'] || response.body.to_s.size
+    end
+  end
+end
