Api Rate Abuse in Sails
How Api Rate Abuse Manifests in Sails
Api rate abuse in Sails applications typically exploits the framework's flexible routing and default configurations. Sails' automatic route generation for controllers creates numerous endpoints that may lack proper rate limiting. Attackers can abuse these endpoints through several patterns:
Controller Method Abuse: Sails automatically generates RESTful routes for controller actions. Without rate limiting, an attacker can repeatedly call actions like find, create, or update to overwhelm your database or API gateway.
// Vulnerable controller without rate limiting
module.exports = {
find: async function (req, res) {
// No rate limiting - can be abused
const users = await User.find();
return res.json(users);
}
}
Blueprint Route Abuse: Sails' blueprint routes expose CRUD operations automatically. An attacker can enumerate these routes and abuse them systematically.
// Blueprint routes expose all these endpoints automatically
// GET /api/user -> find()
// POST /api/user -> create()
// PUT /api/user/:id -> update()
// DELETE /api/user/:id -> destroy()
Policy Bypass Attempts: Sails policies can be bypassed if not properly configured. An attacker might target endpoints that lack policies or where policies are incorrectly ordered.
// Policies applied incorrectly - can be bypassed
module.exports.policies = {
'*': ['isAuthenticated'], // All endpoints require auth
UserController: {
find: true // BUT find() is accessible without auth
}
}
Waterfall Attacks: Attackers often combine rate abuse with other vulnerabilities. For example, abusing a rate-unlimited endpoint to trigger expensive database queries, then using the response timing to extract information.
Sails-Specific Detection
Detecting rate abuse in Sails requires examining both configuration and runtime behavior. middleBrick's black-box scanning approach is particularly effective for Sails applications because it tests the actual API surface without needing source code access.
Policy Configuration Analysis: middleBrick scans your Sails application to identify endpoints lacking rate limiting policies. The scanner checks for common patterns where rate limiting should exist but is missing.
# Scan a Sails API with middleBrick
middlebrick scan https://api.yourservice.com
Runtime Behavior Testing: The scanner sends controlled request bursts to identify endpoints that don't enforce rate limits. This reveals both missing policies and misconfigured ones.
Blueprint Route Enumeration: middleBrick automatically discovers Sails blueprint routes and tests them for rate limiting, even if they're not documented in your OpenAPI spec.
Policy Hierarchy Verification: The scanner checks if your Sails policies are correctly ordered and applied. A common issue is having global policies that are then incorrectly overridden at the controller level.
LLM Endpoint Detection: For Sails applications using AI/ML features, middleBrick's unique LLM security scanning detects unauthenticated AI endpoints that could be abused for cost exploitation or data exfiltration.
middleBrick provides a security score (0-100) with specific findings for each vulnerable endpoint, including severity levels and remediation guidance tailored to Sails applications.
Sails-Specific Remediation
Remediating rate abuse in Sails requires leveraging the framework's policy system and configuration options. Here are Sails-specific solutions:
Global Rate Limiting Policy: Create a reusable rate limiting policy that can be applied globally or to specific controllers.
// api/policies/rateLimit.js
const rateLimit = require('express-rate-limit');
module.exports = async function (req, res, proceed) {
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP to 100 requests per windowMs
message: 'Too many requests from this IP'
});
// Apply the limiter
limiter(req, res, proceed);
};
Controller-Specific Rate Limiting: Apply rate limits to specific controllers that handle sensitive operations.
// api/controllers/UserController.js
module.exports = {
find: async function (req, res) {
// Rate limited at the controller level
const users = await User.find();
return res.json(users);
},
create: async function (req, res) {
// Different rate limits for different actions
const newUser = await User.create(req.body).fetch();
return res.json(newUser);
}
};
// Apply policies in config/policies.js
module.exports.policies = {
UserController: {
find: ['rateLimit', 'isAuthenticated'],
create: ['rateLimit', 'isAdmin']
}
};
Blueprint Route Protection: Explicitly define policies for blueprint routes to prevent abuse.
// config/policies.js
module.exports.policies = {
'*': ['rateLimit', 'isAuthenticated'],
UserController: {
find: ['rateLimit', 'isAuthenticated'],
create: ['rateLimit', 'isAdmin'],
update: ['rateLimit', 'isAuthenticated'],
destroy: ['rateLimit', 'isAdmin']
}
};
Advanced Rate Limiting with Redis: For distributed Sails applications, use Redis-backed rate limiting to track requests across multiple instances.
// api/policies/redisRateLimit.js
const Redis = require('ioredis');
const redis = new Redis();
module.exports = async function (req, res, proceed) {
const key = `rate-limit:${req.ip}`;
const current = await redis.incr(key);
if (current === 1) {
await redis.expire(key, 900); // 15 minutes
}
if (current > 100) {
return res.status(429).json({
error: 'Rate limit exceeded'
});
}
proceed();
};
LLM Endpoint Protection: For Sails applications with AI features, implement specific rate limits for LLM endpoints to prevent cost exploitation.
// api/policies/llmRateLimit.js
module.exports = async function (req, res, proceed) {
if (req.options.controller === 'ai' && req.options.action === 'generate') {
// Stricter limits for AI endpoints
const key = `llm-rate-limit:${req.ip}`;
const current = await redis.incr(key);
if (current === 1) {
await redis.expire(key, 60); // 1 minute
}
if (current > 10) {
return res.status(429).json({
error: 'AI rate limit exceeded'
});
}
}
proceed();
};