Skip to main content
Glama
enesjakozh
ricauts

CyberMCP

by ricauts
OverviewInspectSchemaRelated ServersScoreDiscussions
TypeScript
Hybrid

rate_limit_check

Test API rate limits by sending controlled request bursts to an endpoint, specifying method, delay, and auth headers. Identify vulnerabilities in backend systems with CyberMCP.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
auth_headerNoAuthentication header (if any)
endpointYesAPI endpoint to test
http_methodNoHTTP method to useGET
request_bodyNoRequest body (for POST/PUT requests)
request_countNoNumber of requests to send
request_delay_msNoDelay between requests in milliseconds

Implementation Reference

  • src/tools/rateLimiting.ts:20-89 (handler)
    Executes the rate limiting check by sending multiple HTTP requests with configurable delays, detecting rate limits through status 429, rate-limit headers, and error messages in responses, then analyzes and formats a vulnerability report.
    async ({ endpoint, http_method, request_count, request_delay_ms, auth_header, request_body }) => { try { const results = []; let rateLimitDetected = false; let rateLimitThreshold = 0; let lastStatusCode = 0; // Make a sequence of requests to detect rate limiting for (let i = 0; i < request_count; i++) { // Make the request const response = await axios({ method: http_method.toLowerCase(), url: endpoint, data: request_body ? JSON.parse(request_body) : undefined, headers: auth_header ? { Authorization: auth_header } : undefined, validateStatus: () => true, // Accept any status code }); // Check for rate limiting response const isRateLimited = isRateLimitingResponse(response); const rateLimitHeaders = extractRateLimitHeaders(response.headers); results.push({ request_number: i + 1, status: response.status, rate_limited: isRateLimited, headers: rateLimitHeaders, }); // If we detect rate limiting, note when it happened if (isRateLimited && !rateLimitDetected) { rateLimitDetected = true; rateLimitThreshold = i + 1; } lastStatusCode = response.status; // If we've already been rate limited, we can stop testing if (rateLimitDetected && i >= rateLimitThreshold + 2) { break; } // Add delay between requests if (i < request_count - 1 && request_delay_ms > 0) { await new Promise(resolve => setTimeout(resolve, request_delay_ms)); } } // Analyze results const analysis = analyzeRateLimiting(results, rateLimitDetected, rateLimitThreshold); return { content: [ { type: "text", text: formatRateLimitResults(results, analysis, endpoint), }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing rate limiting: ${(error as Error).message}`, }, ], }; } }
  • src/tools/rateLimiting.ts:12-19 (schema)
    Zod schema validating input parameters for the tool: endpoint URL, HTTP method, number of requests, delay, optional auth and body.
    { endpoint: z.string().url().describe("API endpoint to test"), http_method: z.enum(["GET", "POST", "PUT", "DELETE"]).default("GET").describe("HTTP method to use"), request_count: z.number().min(5).max(50).default(20).describe("Number of requests to send"), request_delay_ms: z.number().min(0).max(1000).default(100).describe("Delay between requests in milliseconds"), auth_header: z.string().optional().describe("Authentication header (if any)"), request_body: z.string().optional().describe("Request body (for POST/PUT requests)"), },
  • src/tools/rateLimiting.ts:8-91 (registration)
    Registers the rate_limit_check tool on the MCP server, including schema and handler function.
    export function registerRateLimitingTools(server: McpServer) { // Rate limiting test server.tool( "rate_limit_check", { endpoint: z.string().url().describe("API endpoint to test"), http_method: z.enum(["GET", "POST", "PUT", "DELETE"]).default("GET").describe("HTTP method to use"), request_count: z.number().min(5).max(50).default(20).describe("Number of requests to send"), request_delay_ms: z.number().min(0).max(1000).default(100).describe("Delay between requests in milliseconds"), auth_header: z.string().optional().describe("Authentication header (if any)"), request_body: z.string().optional().describe("Request body (for POST/PUT requests)"), }, async ({ endpoint, http_method, request_count, request_delay_ms, auth_header, request_body }) => { try { const results = []; let rateLimitDetected = false; let rateLimitThreshold = 0; let lastStatusCode = 0; // Make a sequence of requests to detect rate limiting for (let i = 0; i < request_count; i++) { // Make the request const response = await axios({ method: http_method.toLowerCase(), url: endpoint, data: request_body ? JSON.parse(request_body) : undefined, headers: auth_header ? { Authorization: auth_header } : undefined, validateStatus: () => true, // Accept any status code }); // Check for rate limiting response const isRateLimited = isRateLimitingResponse(response); const rateLimitHeaders = extractRateLimitHeaders(response.headers); results.push({ request_number: i + 1, status: response.status, rate_limited: isRateLimited, headers: rateLimitHeaders, }); // If we detect rate limiting, note when it happened if (isRateLimited && !rateLimitDetected) { rateLimitDetected = true; rateLimitThreshold = i + 1; } lastStatusCode = response.status; // If we've already been rate limited, we can stop testing if (rateLimitDetected && i >= rateLimitThreshold + 2) { break; } // Add delay between requests if (i < request_count - 1 && request_delay_ms > 0) { await new Promise(resolve => setTimeout(resolve, request_delay_ms)); } } // Analyze results const analysis = analyzeRateLimiting(results, rateLimitDetected, rateLimitThreshold); return { content: [ { type: "text", text: formatRateLimitResults(results, analysis, endpoint), }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error testing rate limiting: ${(error as Error).message}`, }, ], }; } } ); }
  • src/tools/index.ts:6-16 (registration)
    Imports and calls registerRateLimitingTools as part of overall security tools registration.
    import { registerRateLimitingTools } from "./rateLimiting.js"; import { registerSecurityHeadersTools } from "./securityHeaders.js"; /** * Register all security testing tools with the MCP server */ export function registerSecurityTools(server: McpServer) { registerAuthenticationTools(server); registerInjectionTools(server); registerDataLeakageTools(server); registerRateLimitingTools(server);
  • src/tools/rateLimiting.ts:96-125 (helper)
    Helper function to detect if an HTTP response indicates rate limiting based on status code, headers, or body content.
    function isRateLimitingResponse(response: any): boolean { // Check status code (429 is the standard for rate limiting) if (response.status === 429) { return true; } // Check for common rate limit headers const headers = response.headers || {}; const headerKeys = Object.keys(headers).map(h => h.toLowerCase()); if ( headerKeys.some(h => h.includes("ratelimit") || h.includes("rate-limit") || h.includes("x-rate")) ) { return true; } // Check response body for rate limit messages const responseBody = typeof response.data === 'string' ? response.data.toLowerCase() : JSON.stringify(response.data || "").toLowerCase(); return ( responseBody.includes("rate limit") || responseBody.includes("ratelimit") || responseBody.includes("too many requests") || responseBody.includes("exceeded") || responseBody.includes("throttle") || responseBody.includes("slow down") ); }

This server cannot be installed

Other Tools

Related Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/ricauts/CyberMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server