Files: All controller endpoints in:
src/main/java/com/cabbooking/controller/AuthController.javasrc/main/java/com/cabbooking/controller/BookingController.javasrc/main/java/com/cabbooking/controller/api/IotBridgeController.java
Severity: High
Description
No rate limiting exists on any endpoint. This enables:
- Login brute force (
POST /auth/login) — unlimited password attempts
- Registration spam (
POST /auth/register) — unlimited account creation, filling the DB
- Booking abuse (
POST /bookings/create) — mass booking creation
- Promo code enumeration — unlimited attempts to guess valid promo codes
- SOS spam (
POST /bookings/{id}/sos) — unlimited emergency alerts
Impact
- Account takeover via credential brute-force
- Financial loss from fake rides and promo code abuse
- Denial of service via resource exhaustion
- Emergency system rendered unreliable
Fix
Use Spring Boot + Resilience4j or Bucket4j for rate limiting. Track IP-based request counts in a distributed cache (Redis) for production scalability.
Files: All controller endpoints in:
src/main/java/com/cabbooking/controller/AuthController.javasrc/main/java/com/cabbooking/controller/BookingController.javasrc/main/java/com/cabbooking/controller/api/IotBridgeController.javaSeverity: High
Description
No rate limiting exists on any endpoint. This enables:
POST /auth/login) — unlimited password attemptsPOST /auth/register) — unlimited account creation, filling the DBPOST /bookings/create) — mass booking creationPOST /bookings/{id}/sos) — unlimited emergency alertsImpact
Fix
Use Spring Boot + Resilience4j or Bucket4j for rate limiting. Track IP-based request counts in a distributed cache (Redis) for production scalability.