>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

API4Unrestricted Resource Consumption

>Control Description

Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails, SMS, phone calls, or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs. An API is vulnerable if it is missing or has improperly set limits on execution timeouts, maximum allocable memory, maximum number of file descriptors, maximum number of processes, maximum upload file size, number of operations to perform in a single request, number of records per page to return in a single response, or third-party service providers' spending limits.

>Prevention & Mitigation Strategies

  1. 1.Use a solution that makes it easy to limit memory, CPU, number of restarts, file descriptors, and processes such as containers or serverless code.
  2. 2.Define and enforce a maximum size of data on all incoming parameters and payloads, such as maximum length for strings, maximum number of elements in arrays, and maximum upload file size.
  3. 3.Implement a limit on how often a client can interact with the API within a defined timeframe (rate limiting).
  4. 4.Rate limiting should be fine tuned based on the business needs. Some API endpoints might require stricter policies.
  5. 5.Limit/throttle how many times or how often a single API client/user can execute a single operation (e.g. validate an OTP, or request password recovery without visiting the one-time URL).
  6. 6.Add proper server-side validation for query string and request body parameters, specifically the one that controls the number of records to be returned in the response.
  7. 7.Configure spending limits for all service providers/API integrations. When spending limits cannot be set, billing alerts should be configured instead.

>Attack Scenarios

#1SMS-based password reset cost abuse

An attacker targets a forgot-password flow that sends an SMS. The attacker writes a script that issues tens of thousands of API requests, causing the backend to send tens of thousands of SMS messages at $0.05 each. Within minutes, the company loses thousands of dollars in SMS charges.

#2GraphQL batching memory exhaustion

A GraphQL endpoint allows users to upload profile pictures. The API limits each request to a maximum of three per minute. An attacker bypasses the rate limit by batching 999 upload mutations into a single GraphQL request. The server attempts to generate thumbnails for all 999 images simultaneously, exhausting available memory and causing denial of service.

#3Uncapped cloud storage costs

A service provider allows clients to download arbitrarily large files via its API. An update increases a cached file from under the caching threshold to 18GB. All API clients immediately begin downloading the new version. Because there were no spending alerts or cost caps on the cloud storage account, the monthly bill increases from $13 to $8,000.

>Related CWEs

CWE-770
CWE-400
CWE-799

>References

Ask AI

Configure your API key to use AI features.