Typescript Forwarded For Rate Limit Bypass
Description
Detects insecure implementations of express-rate-limit where the rate limiter's key generation does not properly handle X-Forwarded-For headers. This vulnerability allows attackers to bypass rate limiting by spoofing IP addresses, potentially leading to denial of service attacks.
Detection Strategy
• Check if the application uses the 'express-rate-limit' package
• Look for RateLimit constructor calls in the code
• Examine the keyGenerator callback function configuration
• Flag cases where the IP address extraction from request headers is implemented insecurely
• Report vulnerability when the rate limiter uses unsafe client IP determination methods
Vulnerable code example
const rateLimit = require('express-rate-limit');
const express = require('express');
const app = express();
app.use('/api', new rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100,
keyGenerator: (req) => {...✅ Secure code example
const rateLimit = require('express-rate-limit');
const express = require('express');
const app = express();
// Define trusted proxy IPs (configure based on your infrastructure)
const trustedProxies = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'];
app.use('/api', new rateLimit({...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.