API4:2023 Unrestricted Resource Consumption - OWASP API Security Top 10
Learn about API4:2023 Unrestricted Resource Consumption, a security risk in APIs that can result in denial of service attacks and increased operational costs. Find preventive measures here.
Overview
This article discusses the security risk of unrestricted resource consumption in APIs, as per the OWASP API Security Top 10. It explains the threat agents, security weakness, and impacts associated with this vulnerability. It also provides example attack scenarios and suggests preventive measures to mitigate the risk.
Description
API4:2023 Unrestricted Resource Consumption is a security risk in APIs that allows exploitation by performing simple API requests. It can lead to denial of service (DoS) attacks due to resource starvation and increased operational costs. This article provides an overview of the vulnerability, its implications, and ways to prevent it.
How to Prevent ?
To prevent API4:2023 Unrestricted Resource Consumption, it is recommended to use solutions like Containers or Serverless code, which make it easy to limit memory, CPU, number of restarts, file descriptors, and processes. Additionally, enforce maximum size of data on incoming parameters and payloads, implement rate limiting, limit the execution of certain operations, and configure spending limits for service providers. Proper server-side validation and monitoring should also be in place.
Example Attack Scenarios:
Scenario #1: SMS Verification Exploitation: In this scenario, an attacker sends multiple API requests for password reset via SMS verification. This leads to the back-end generating a high number of SMS messages, resulting in significant financial loss for the company.
Scenario #2: GraphQL API Memory Exhaustion: In this scenario, an attacker bypasses rate limiting and uploads multiple large profile pictures using GraphQL API. The server's memory gets exhausted due to the generation of thumbnails, causing denial of service.
Scenario #3: Cost Increase from Large File Downloads: In this scenario, service clients start downloading an updated large file without consumption cost alerts or limits. As a result, the service provider incurs unexpectedly high monthly bills.