class API_Fuzzer::RateLimitCheck
Public Class Methods
fuzz_api_requests(method)
click to toggle source
# File lib/API_Fuzzer/rate_limit_check.rb, line 19 def self.fuzz_api_requests(method) initial_response = fetch_initial_response(method) responses = [] @limit.times do responses << API_Fuzzer::Request.send_api_request( url: @url, method: method, cookies: @cookies, headers: @headers, params: @params ) end vulnerable = true responses.each do |response| if response.code == initial_response.code content_length = response_content_length(response) initial_content_length = response_content_length(initial_response) if content_length != initial_content_length vulnerable = false break end else vulnerable = false break end end @vulnerabilities << API_Fuzzer::Vulnerability.new( description: "API is not rate limited for #{method} #{@url}", value: "API doesn't have any ratelimiting protection enabled which can be implemented by either throttling request or using captcha", type: 'LOW' ) if vulnerable end
scan(options = {})
click to toggle source
# File lib/API_Fuzzer/rate_limit_check.rb, line 6 def self.scan(options = {}) @url = options[:url] @params = options[:params] || {} @headers = options[:headers] || {} @cookies = options[:cookies] || {} @vulnerabilities = [] @limit = options[:limit] || 50 @methods = options[:method] || [:get] @methods.each { |method| fuzz_api_requests(method) } @vulnerabilities.uniq { |vuln| vuln.description } end
Private Class Methods
fetch_initial_response(method)
click to toggle source
# File lib/API_Fuzzer/rate_limit_check.rb, line 55 def self.fetch_initial_response(method) API_Fuzzer::Request.send_api_request( url: @url, method: method, cookies: @cookies, headers: @headers, params: @params ) end
response_content_length(response)
click to toggle source
# File lib/API_Fuzzer/rate_limit_check.rb, line 65 def self.response_content_length(response) response.headers['Content-Length'] || response.body.to_s.size end