A Guide to Unrestricted Resource Consumption

Unmanaged application risks
Securing Your Organization From Unmanaged Application Risks 
December 4, 2024
API security misconfiguration audits
Protecting Against API Security Misconfigurations with Regular Audits
December 5, 2024

December 5, 2024

Recently, third-party actors attacked Poland’s tax department portal. Attackers used a relatively new way to exploit the vulnerability. They overwhelmed APIs supporting the tax portal by sending a large volume of requests to the system, exhausting the resources.

 As a result, the portal was out for several hours. This disruption disrupted the tax filing and other operational work in the department. It’s a classic example of Unrestricted Resource Consumption risk. The frequency of such attacks, especially DDoS(Distributed Denial of Service), has recently increased.

According to a Cybersecurity Insider report, there was a massive 47% rise in Q1 2023 compared to the same period in 2022. Therefore, it has been included among the top 5 API vulnerabilities list.

In this blog, we’ll try to understand how unrestricted resource consumption occurs, its potential consequences, and ways to deal with it.

Understanding Unrestricted Resource Consumption

Software systems are designed to handle a certain amount of requests, and beyond that, they cannot perform. This is important to ensure systems run smoothly.  

However, Unrestricted Resource Consumption is a significant vulnerability in APIs. Third-party actors can exploit it to request excessive amounts of resources like memory, CPU time, or bandwidth without taking into account appropriate constraints, disrupting a system’s functioning. 

Apart from application performance implications, it can have severe consequences for application security. This can severely disrupt services and incur significant operational costs. 

They can do this by suddenly sending a large volume of requests within a very short time to overwhelm servers and systems or manipulating parameters to increase the amount of data a system can process.  

Let’s examine a real-world example to understand it better. A few years ago, GitHub faced a massive Distributed Denial of Service (DDoS) attack that peaked at 1.35 terabits per second. Attackers used Memcached, a type of caching system, to amplify their traffic, overwhelming GitHub’s API infrastructure.

As a result, GitHub had to stop operations. The incident underscored the need for implementing rate limiting and traffic control mechanisms to prevent such attacks. 

What Are Common Attack Vectors? 

Here are the following strategies malicious actors can carry out Unrestricted Resource Consumption attacks: 

Common Attacks Vectors

1. Excessive Requests

This is a common technique used by attackers to send multiple requests in a short period. In such circumstances, the server cannot process all requests. This is often caused by utilizing automated scripts or botnets. 

2. Large File Uploads

If APIs allow uploading files without size restrictions, attackers can easily manipulate them to exhaust server storage and processing capabilities. They can do it repeatedly to cause memory exhaustion, which can crash the server. 

3. Resource Exhaustion

This includes strategies that enable attackers to exploit specific system limits like database connections or file descriptors. 

Types of Resources at Risk

The types of resources at risk from unrestricted consumption include:

  • CPU: Excessive processing demands can slow down or halt application performance.
  • Memory: A large number of requests can exhaust memory, resulting in crashes or degraded performance.
  • Disk Space: Uncontrolled uploads can fill available storage, causing system failures.
  • Network Bandwidth: Flooding an API with requests can choke bandwidth, affecting all users and services connected to the network.  

Consequences of Unrestricted Resource Consumption 

According to OWASP’sOWASP’s Top 10 API Security Risks, Unrestricted Resource Consumption poses serious risks that can undermine an organization’s financial health and operational stability. 

Understanding these impacts is essential for developing effective strategies to mitigate risks and safeguard digital assets in an increasingly complex threat landscape.

Denial of Service (DoS)

One of the most immediate threats posed by unrestricted resource consumption is the risk of Denial of Service (DoS) attacks

In these scenarios, malicious actors exploit application vulnerabilities to flood systems with excessive requests, overwhelming servers and rendering them unavailable to legitimate users. 

According to the Cybersecurity and Infrastructure Security Agency (CISA), approximately 70% of organizations reported experiencing at least one DoS attack in the past year.

This disrupts normal business operations and can lead to a cascading effect where other dependent services fail, exacerbating downtime and user frustration.

Financial Implications

The financial implications of such attacks can be staggering. A study by the Ponemon Institute revealed that the average cost of a data breach is around $4.45 million, a figure that can rise dramatically with extended service outages. 

Beyond direct losses from halted transactions, organizations may incur additional costs related to incident response, system recovery, and potential regulatory fines if they fail to comply with data protection laws during breaches.

 Moreover, reputational damage can lead to long-term customer attrition, further impacting revenue streams.

Operational Risks

Operational risks associated with unrestricted resource consumption are equally concerning. Systems that experience performance degradation due to excessive resource demands can lead to inefficiencies in service delivery.

For instance, critical business functions may slow down or become unresponsive, hindering productivity and affecting employee morale. Additionally, when cybersecurity teams are inundated with managing these resource-related issues, their ability to respond to emerging threats diminishes. 

This creates a precarious situation where organizations may become more vulnerable to sophisticated cyberattacks while struggling to maintain operational integrity.

Example Scenarios: Unrestricted Resource Consumption 

Here are two example scenarios of Unrestricted Resource Consumption Risks: 

Example Scenario # 1: A service provider offers clients the ability to download files of any size through its API. These files are stored in cloud object storage and are infrequently updated. To enhance service efficiency and reduce bandwidth usage, the provider utilizes a caching service that only supports files up to 15GB.

When one of the files is updated and its size grows to 18GB, all clients download the new version simultaneously. 

Due to the absence of consumption cost alerts and a maximum spending limit for the cloud service, the provider experiences a dramatic cost surge, with the monthly bill skyrocketing from an average of $13 to $8,000.

Example Scenario # 2: A social network has implemented a “forgot password” feature that utilizes SMS verification, allowing users to receive a one-time token via SMS to reset their passwords.

When a user clicks on “forgot password,” an API call is initiated from the user’s browser to the back-end API:

Subsequently, the back-end makes a call to a third-party API responsible for delivering the SMS:

In this scenario, an attacker creates a script that sends the initial API call tens of thousands of times. 

As a result, the back-end repeatedly requests Willyo to send an overwhelming number of text messages, causing the company to incur significant losses amounting to thousands of dollars within just a few minutes.

Mitigation Strategies for Unrestricted Resource Consumption 

Here are practical strategies suggested by OWASP to mitigate unrestricted resource consumption threats: 

Mitigation Strategies

1. Utilize Containerization or Serverless Architectures

Use a solution that makes it easy to limit memory, CPU, number of restarts, file descriptors, and processes such as Containers / Serverless code (e.g., Lambdas). 

Organizations can define strict resource limits for each deployment by leveraging containerization or serverless architectures. This ensures that applications do not consume excessive resources, preventing potential overloads. 

For example, serverless functions can automatically scale based on demand while adhering to defined memory and execution time limits, enhancing security and performance.

2. Enforce Maximum Data Size Limits

Define and enforce a maximum data size on all incoming parameters and payloads. This includes setting limits on the maximum length for strings, the maximum number of elements in arrays, and the maximum upload file size. 

By implementing these constraints, developers can effectively mitigate the risk of resource exhaustion attacks. Establishing clear boundaries for data size helps ensure that APIs remain responsive and can handle legitimate requests without succumbing to overload from malicious input.

3. Implement Rate Limiting

Implement a rate limit on how often a client can interact with the API within a defined timeframe through rate limiting. This practice helps prevent abuse by restricting the number of requests a user can make in a given period. 

Controlling traffic flow enables organizations to protect their APIs from being overwhelmed by excessive requests, thus maintaining service availability for legitimate users. 

Rate limiting is essential for safeguarding against denial-of-service attacks and ensuring fair resource allocation among users.

4. Fine-Tune Rate Limiting Based on Business Needs

Rate limiting should be fine-tuned based on business needs. Some API endpoints may require stricter policies due to their sensitivity or resource intensity. For instance, endpoints handling financial transactions might necessitate lower thresholds than those serving public data. 

Tailoring rate limits according to specific use cases allow organizations to balance security with user experience effectively while minimizing the risk of abuse.

5. Throttle Sensitive Operations

Limit or throttle how many times a single API client or user can execute a specific operation, such as validating an OTP or requesting password recovery without visiting the one-time URL.This approach helps prevent repeated abuse of sensitive operations that could lead to account takeovers or unauthorized access.

By enforcing operational limits, organizations can enhance the security of critical functions and reduce the likelihood of exploitation by malicious actors.

Implement Robust Server-Side Validation

Add proper server-side validation for query string and request body parameters, particularly those controlling the number of records returned in a response. 

Implementing robust validation ensures that inputs conform to expected formats and limits, preventing attackers from manipulating requests to extract excessive data. 

This measure enhances security and improves overall API performance by reducing unnecessary load on backend systems.

6. Configure Spending Limits and Alerts

To manage costs effectively, configure spending limits for all service providers and API integrations. When setting spending limits is not feasible, organizations should configure billing alerts to monitor usage closely. 

This proactive approach helps prevent unexpected spikes in expenses due to resource consumption or abuse.

Security teams can take timely action to mitigate financial risks associated with unrestricted resource consumption by closely monitoring spending patterns, businesses can

Best Practices For Developers to Prevent Unrestricted Resource Consumption Vulnerability

To prevent unrestricted resource consumption vulnerabilities, developers should adopt several best practices:

 Preventing Unrestricted Resource Consumption

1. Input Validation and Sanitization

Ensure that all incoming data is validated against expected formats and sanitized to eliminate potentially harmful inputs, reducing the risk of injection attacks.

2. Use Strong Authentication and Authorization

Employ robust authentication methods (e.g., OAuth, API keys) and enforce precise authorization controls to restrict access to sensitive resources.

3. Adopt API Gateways

Utilize API gateways for centralized management of security policies, including rate limiting, authentication, and logging, to streamline security enforcement across all APIs.

4. Monitor and Log Activity

Implement comprehensive logging and monitoring to detect unusual patterns in API usage, enabling quick responses to potential exploitation attempts.

Conclusion 

Finally, Unrestricted Resource Consumption poses a significant risk for APIs, potentially resulting in denial-of-service attacks. Therefore, it becomes essential to identify potential threat actors, how they attack, and recognize the vulnerabilities in your systems to mitigate these risks. Furthermore, you must implement the best practices to safeguard your APIs and ensure their reliability. 

To further strengthen your security posture, consider partnering with SecureLayer7’s Red Teaming and Penetration Testing team. Get in touch with us to know more. 

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading

Enable Notifications OK No thanks