OWASP Top 10 API security risks: Unrestricted resource consumption

Number four on the draft list of the Open Worldwide Application Security Project® (OWASP) Top 10 API Security Risks is unrestricted resource consumption.

Most commonly, unrestricted resource consumption allows attackers to overwhelm API endpoints with requests to deny service to users.

Attack vectors

OWASP assigned an exploitability score of two to unrestricted resource consumption, meaning it is easily exploitable by hackers.

Attackers use simple API requests, using a single computer or cloud computing to perform multiple concurrent requests. When APIs do not limit client interactions or resource consumption, this can overwhelm APIs and lead to execution timeouts, exceeding maximum allocable memory, and choking bandwidth.

Security weaknesses

OWASP scores unrestricted resource consumption as a three on their scale of prevalence and detectability, denoting that the vulnerability is widespread and can be detected fairly easily. Yet, it’s common to find APIs that do not limit interactions and consumption. For example, an attacker can alter API endpoints to return mass amounts of data in a single interaction.

While most interactions are logged, a lack of monitoring and alerting can allow malicious activity to go unnoticed.

Business impacts

The business impacts include denial of service (DoS) due to resource starvation. This can degrade performance significantly when API endpoints become overwhelmed by requests. Attackers can quickly exhaust API resources, such as CPU, storage, and memory, causing systems to fail.

Business impacts include:

• APIs are unavailable to handle legitimate requests
• Brute force attacks and command injection attacks at scale
• Theft of access tokens and unauthorized access to sensitive data
• Exfiltration of data
• Excess access fees for API consumption

These attacks are often used as smokescreens to mask other malicious activity. While security teams are dealing with DoS attacks and trying to return service to users, for example, other attacks may be underway.

How unrestricted resource consumption works

When software does not restrict the amount of resources that can be requested by users, attackers can exploit this vulnerability to overwhelm systems. Such attacks have been more commonplace in recent years and continue to grow in numbers, increasing 47% in Q1 2023 compared to the same period in 2022.

Attackers also use botnets and networks of compromised devices to flood API endpoints with requests, causing systems to crash or hang, in distributed denial of service (DDoS) attacks.

Real-world examples

A breach at T-Mobile revealed the data of more than 30 million customers. Data of nearly a million customers were exfiltrated daily through an API endpoint for a month without triggering any rate limiting or time-series behavioral anomalies. While this attack did not raise any flags with degraded performance, attackers were able to siphon off mass amounts of data without detection for a substantial period of time.

OWASP also details several attack scenarios, such as credit card activation, where users must provide the last four digits of an account to activate. When an API does not limit the number of times the operation can be attempted, brute force tactics can be deployed for success.

Another example would be attackers uploading large images by issuing a POST request to an API that creates multiple thumbnails in different sizes. Because of the large size of the upload, this taxes available memory causing the API to become unresponsive. The same scenario could be applied to APIs that do not limit the sizes of files stored in cloud object storage. As new queries pull the larger-sized files without consumption alerts, monthly fees could increase significantly.

Detecting unrestricted resource consumption vulnerabilities

The first sign of an unrestricted resource consumption vulnerability often occurs when a DoS attack is launched without warning. Developers should make sure to monitor and alert for warning signs, such as:

• IP addresses that send multiple connection requests within short periods
• Traffic sources that keep querying similar data sets in a way unrelated to typical user behavior
• Unexpected performance lags or time to live (TTL) ping requests time out
• Unusual API requests without any obvious explanation

Proactively simulating DoS attacks to probe for vulnerabilities and deploying limitations on the number of resources that can be allocated to any one API request can also help detect and prevent such attacks.

Preventing unrestricted resource consumption vulnerabilities

Preventing unrestricted resource consumption vulnerabilities requires limiting memory, CPU, restarts, file descriptors, and other requests to a reasonable number. For example, by defining and enforcing a maximum data size for all incoming payloads, developers can limit resource consumption.

Web application firewalls should be configured to protect each API endpoint to detect and block traffic associated with DoS and DDoS attacks, including:

Rate limiting

Restrict how often clients can interact with APIs within a defined timeframe based on business needs.

Throttling

Limit how many times a single API user can execute operations without additional validation requirements.

Server-side validation

More tightly control the number of records that can be returned in the API response.

Configure request limits

Employ limits and alerts for service providers and API integrations to flag excess requests.