SpikeArrest policy doesn't use any identifier

Why This Issue Is Important

The lack of an identifier in the SpikeArrest policy is a significant security concern because it means that the rate limit is applied uniformly across all API consumers. This can be exploited by an attacker to launch a Denial of Service (DoS) attack, making the API proxy unavailable to all legitimate users. Without an identifier, the system cannot differentiate between different users, so one user could potentially exhaust the rate limit for everyone, leading to unreliable behavior of the system.

If the proxy is accessible to end users, this risk is even more pronounced, as it increases the likelihood of the proxy being overwhelmed by malicious or high-volume requests. This not only degrades service quality but can also lead to a complete outage, impacting the business by causing downtime and potentially damaging customer trust.

How This Issue Is Detected

This issue is detected by analyzing the XML configuration of the SpikeArrest policy.

The Apigee Buddy parses the XML configuration of the SpikeArrest policy to identify if an Identifier element is present. The rule checks if the Identifier element is populated with a flow variable reference that uniquely identifies each consumer, and if it's not, missing or empty, the rule indicates that the policy does not apply rate limiting based on individual consumers, which is a potential vulnerability.

Additionally, if the endpoint includes an end-user authentication, the issue is flagged as even more critical.

How to Fix the Issue

To fix this issue, configure the SpikeArrest policy to use a unique identifier for each API consumer. This is done by specifying a flow variable in the Identifier element of the SpikeArrest policy. This ensures that the rate limiting is applied per consumer, preventing one user from affecting the availability of the API for others