Insecure file upload
About A04:2021 — Insecure Design
Insecure design captures architectural problems that can't be fixed with a one-line patch — missing rate limits, missing CSRF tokens, business logic that allows abuse. This category is new in the 2021 list and is increasingly common in AI-generated apps because models default to the happy path.
Impact: Missing rate limits on a login endpoint means credential stuffing works. Missing rate limits on a password reset means SMS bombing. Missing rate limits on a paid API endpoint means a $5,000 bill from one bad actor. Most of these don't look like 'security bugs' until you're in incident response.
How to fix it: Build rate limiting in from day one (per IP, per user, per endpoint). Add CSRF tokens to state-changing routes. Think about the threat model: who can call this, how often, and what happens if they call it 1000x more than expected?
Common patterns in this category:
- No rate limiting on authentication endpoints
- Password reset emails sent without throttling
- API endpoints with no per-user request budget
- State-changing routes without CSRF protection
- Business logic that can be replayed indefinitely (e.g. coupon application, vote casting)
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC028 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .