API4:2019 Lack of Resources & Rate Limiting - OWASP API Security Top 10
Learn about the risks and impacts of API4:2019 Lack of Resources & Rate Limiting. Lack of proper rate limiting can result in denial of service attacks, making the API unresponsive.
Overview
This JSON response provides information about API4:2019 Lack of Resources & Rate Limiting, which is one of the top 10 API security risks according to OWASP. It covers the threat agents/attack vectors, security weakness, and impacts associated with this vulnerability.
Description
API4:2019 Lack of Resources & Rate Limiting is a vulnerability that occurs when an API does not implement rate limiting or the limits are not set properly. This can lead to denial of service (DoS) attacks, making the API unresponsive or even unavailable. The JSON response provides example attack scenarios and how to prevent such attacks.
How to Prevent ?
To prevent API4:2019 Lack of Resources & Rate Limiting, it is recommended to implement limits on how often a client can call the API within a defined timeframe. The server should also notify the client when the limit is exceeded and provide information about when the limit will be reset. Proper server-side validation of query string and request body parameters should be implemented, especially the parameter that controls the number of records to be returned in the response. It is also important to define and enforce the maximum size of data on all incoming parameters and payloads.
Example Attack Scenarios:
Scenario #1: An attacker uploads a large image that exhausts the available memory during the creation of thumbnails, making the API unresponsive.
Scenario #2: An attacker changes the size parameter in an API request, causing performance issues on the database and rendering the API unresponsive, leading to denial of service.