DEV Community

Cover image for API4:2019 - Lack of Resources & Rate Limiting
Breno Vitório
Breno Vitório

Posted on • Updated on

API4:2019 - Lack of Resources & Rate Limiting

Hello guys! I'm already feeling a lack of creative resources when trying to introduce these posts 😋

Ba dum tss

So let's talk about Lack of Resources & Rate Limiting!

🏞️ Getting to Know The Issue

As you certainly know, APIs don't have unlimited power, and their behavior when attending requests during stressful situations depends on some different factors, such as:

  • Machine resources
  • Concurrency handling implementation
  • Complexity of the tasks which are being requested
  • Code optimization

When the application doesn't have enough restrictions for avoiding these stressful situations, bad guys may abuse them as a vector for getting unwanted behavior, like DoS. This lack of restrictions is what cause API4:2019.

📚 Some examples

🚨 Example 1

A library has an API in which an endpoint receives this request:

GET /api/books?page=1&perPage=3 HTTP/1.1
Host: www.example.com

And returns this response:

HTTP/1.1 200 OK
Content-Type: application/json

[
    {
        "name": "Book nº1",
        "author": "Unknown",
        "synopsys": "Synopsys here...",
        "pages": "590",
    },
    {
        "name": "Book nº2",
        "author": "Unknown",
        "synopsys": "Synopsys 2 here...",
        "pages": "320",
    },
    {
        "name": "Book nº3",
        "author": "Unknown",
        "synopsys": "Synopsys 3 here...",
        "pages": "480",
    }
]

Notice that it returns 3 books per page, because of the perPage query parameter which is on the URL. In this case, API4:2019 happens if there is no mechanism for limiting the value which may be passed to the perPage parameter, because it would make possible for bad guys to retrieve basically the entire books table with just one request. 😲

Abusing it would cause performance issues on the API, or even could make it completely unresponsive in some more specific cases. 😱

🏋️ Example 2

There's an API which receives pictures in order to perform an image processing of contrast adjustment, and after that return the equalized picture.

Although the histogram equalization is not something hard for a computer to do, it still takes some effort when we are working with bigger pictures.

In this scenario, API4:2019 may happen if the API has no method for limiting the size of the images you are uploading. Because it would make possible for bad guys to upload pictures of gigabytes, and it has potential to even crash the server, depending on some other variables.

📖 External materials

As my goal with this series is to just explain what each flaw is while I'm learning about them all, I would like to suggest some materials about lack of resources and rate limiting, so you understand better the details of it:

https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md

https://salt.security/blog/api4-2019-lack-of-resources-rate-limiting

Also, TheXSSRat has this amazing training for OWASP API Security Top 10. Consider taking a look at his labs:

https://hackxpert.com/API-testing.php

Discussion (0)