Implementing Rate Limiting on the /file Endpoint to Prevent Brute-Force Attacks

0
During a recent security assessment of one of our applications, a key vulnerability was identified regarding the absence of rate limiting on the /file endpoint.   Vulnerability Description The /file endpoint, which appears to be an inherent Mendix endpoint rather than one we explicitly exposed ourselves, currently allows unrestricted requests, even at high volumes. During testing, approximately 9000 brute-force attempts were made on the GUID parameter within a 2-minute window (about 48 requests per second). This lack of throttling could allow a malicious actor to potentially brute-force the GUID and download confidential files from the database.   Recommendation The security team recommended implementing rate-limiting controls to mitigate brute-force attacks. Specifically, they suggested limiting the number of requests per user or source IP address within a defined time frame (e.g., 10 requests per 10 seconds).   Challenge I’m looking for a way to implement rate limiting on a specific endpoint in Mendix, particularly the /file endpoint. I’ve found a marketplace module that throttles requests to microflows, but this doesn't meet the requirement, as it doesn't directly protect file downloads or the /file endpoint itself.   Has anyone implemented rate limiting on a Mendix application, especially for file downloads or similar endpoints? I’m looking for guidance or solutions to address this security concern effectively.   Any advice or insights would be greatly appreciated. Thanks in advance!
asked
1 answers
0

This lack of throttling could allow a malicious actor to potentially brute-force the GUID and download confidential files from the database.

 

If your security and logic is set correctly I do not see this scenario happening. What in my opinion is more likely is that the the app performance can be influenced negatively, at such level that it might shutdown and restart. Not saying that this is okay because this can also be abused for unwanted behaviour...

 

An option could be to add parameters with an offset and amount so you have more control on the requests. When a requests hits the limit the requester will be required to do an additional request with a changed offset.

 

This module could be interesting too: Ratelimiter for Mendix I do not have experience with this module but it might add some options in your search for a fitting solution.

 

[edit]

 

In addition:

Mendix Restrict Access for Incoming Requests

Implement Mendix Best Practices for App Security

 

From what I understand after reading more carefully, you are wondering when someone manipulate the guid eg:

 

https://application.mendixcloud.com/file?guid=55555143618734444

 

Towards

 

https://application.mendixcloud.com/file?guid=55555143618734445

 

In that case I would say with how I started my answer: security. If your domain model and entity access is set correctly than this can not be abused and will return a 401 error.

 

Which might be an interesting read:

 

https://community.mendix.com/link/space/app-development/questions/105768

answered