Rate Limit doesn't work with Burp Suite (security testing tool)

[mozgiel]

Hello everybody,

we are using express-rate-limit as a middleware to reduce the attempts for a specific route to 5 in 10 minutes.

In the browser, everything works fine, but I we activate s security tool like Burp Suite and try to make 100 requests with different payloads, all requests pass the middleware. Security told us, that Burp uses the same IP for all requests (no proxy). So we can't really figure out, why it's working if we try it manually and not, if its tested with a security test software.

Is there any known reason why this behaviour shows up?

Kind regards
Darius

[NoahAndrews]

Sounds like you're using an overly-permissive value for trust proxy.

[mozgiel]

I tested it and I also set 'trust proxy' to 1. I found out, that Burp Suite is using a different port on each request while the IP stays the same. I guess this is the reason, why the rate limiter doesn't count the requests as the same. But there is no setting for the rate-limiter to ignore the port and just look for the IP?

[nfriedly]

Using a different port for each request is not uncommon. Normally express-rate-limit looks at only the IP, but when trust proxy is set, then it uses the exact value from the X-Forwarded-For header. Normally proxies only specify the IP in that header, but occasionally they include the port as well. (Azure is the only one I'm aware of that includes the port by default.)

Ideally you can reconfigure the proxy to include only the IP address, but, failing that, you can add a custom keyGenerator method that strips out the port and just returns the IP - you could just do (req) => req.ip.split(':')[0] but that might cause issues with IPv6 addresses, so you may need to do something a little more involved if it turns out that you'll be handling IPv6 traffic also.

[nfriedly]

Here's a previous discussion about having the port in the header, with a full keyGenerator example that handles IPv6 properly: #234

[mozgiel]

@nfriedly thx again. I will try the IPv4 suggestion. Thanks for the info on the port with the proxy. I wasn't aware of that.

[mozgiel]

@nfriedly the keyGenerator function with stripping out the port did the trick. Hopefully this will help any future azure projects.