An Application Programming Interface (API) is one of the core components of a modern application framework that allows a software program to use the capabilities of another program without requiring a deep understanding of the third-party software’s implementation details. APIs also speed up an app development process by enabling quick access to cloud storage, following efficient application design patterns, and allowing app developers to opt for high-performance SaaS hybrid models. However, ineffective integration practices and generic application layer implementations often develop security vulnerabilities that are easily exploited in the modern threat landscape.
This article discusses the API4:2019, Lack of Resource and Rate Limiting vulnerability, common attack scenarios, its impacts on businesses, and remediation measures.
What is the Lack of Resources and Rate Limiting in Cyber Security?
Lack of Resource and Rate Limiting (API4:2019) is attributed by Online Web Application Security Project (OWASP) as one of the top 10 API-related security vulnerabilities that occurs when developers fail to limit the size of objects, the number of inbound requests and access requests from a single client (end-user or service) to a client application. Malicious users can leverage a lack of resources and rate limiting for several attack scenarios that result in API server performance issues. Exploiting the vulnerability, hackers can submit many requests quickly to exhaust API resources (such as CPU, storage, and system memory).
When API resources are fully consumed, the endpoint gets overwhelmed and fails to service inbound requests. As most API endpoints are hosted on shared machines, exploiting one vulnerable API endpoint often leads to exhausting bundles of resources and resource starvation of an entire framework. Besides causing performance issues, the API4:2019 flaw can also be used to abuse application logic by leveraging attack mechanisms, including unauthorized use of administrative functions, stealing access tokens, and content-based attacks.
Examples of Lack of Resources and Rate Limiting Exploits
An API with an undefined lack of resources and rate limiting offers a vast attack surface for attackers to orchestrate different forms of exploits. Some common issues and exploits based on the API4:2019 vulnerabilities include:
Overloading the API Endpoint
Assuming an API has rate-limiting implementation flaws and lacks optimal authorization mechanisms, attackers can modify client requests that cause the API to return many items in response to a query. This causes the API endpoint to perform sub-optimally or be unresponsive to client requests.
Assume a vulnerable API endpoint uses the following request attributes to return 250 items with a maximum page size of 250 in response to a search query:
{
"Search_filter":
“user_id=exampleId_100”,
"max_return": "250",
"page_size":" 250",
"Return_attributes" :[
]
}
An attacker can modify the request with attributes similar to the following:
{
"Search_filter":
“user_id=exampleId_100”,
"max_return": "20000",
"page_size":" 20000",
"Return_attributes" :[
]
}
This modification forces the search query to return excessive items, which could overload the API endpoint and be unavailable to serve other requests.
Exfiltrating Sensitive Data
In an application that lacks resource limits, attackers can alter the API endpoint’s internal processes and business logic for unauthorized data access.
Consider an API retrieving a user’s email ID without robust access policies. Assuming the endpoint URL for returning the email IDs of 20 users looks similar to the following:
https://darwin/api.example.com/v1.1/emails/view?user_id=123&entries=20
Attackers can modify the endpoint to return more email content, which allows them to gain administrative access to more user identities. To read 5000 user emails in one call, the attacker modifies the endpoint to:
https://darwin/api.example.com/v1.1/emails/view?user_id=123&entries=5000
Impacts of a Rate-Limiting API Attack
Security incidents can have severe consequences when hackers attack systems lacking resources and rate-limiting vulnerability. Some impacts of a successful attack include:
- Denial of service – This refers to an attack technique in which an attacker modifies requests to overload the API endpoint, causing all its resources to be consumed and unavailable to serve other requests.
- Web attacks – Hackers leverage the API4:2019 for various API security breaches, including brute force attacks, command injection, and dictionary attacks.
- Unauthorized data access – Lack of resource limits can be exploited to exfiltrate sensitive data, including credit card information, user credentials, and intellectual properties.
- Command injection – Unintended commands over lack of rate limit vulnerability lead to several attack patterns, including permissive cross-origin resource sharing, stealing access tokens, unauthorized access to restricted data, and other traffic anomalies.
Whitepaper
API Vulnerability Prevention Guide
Learn how to detect and prevent API vulnerabilities.
Preventing Lack of Resources and Rate-Limiting Attacks
Below are some API security practices to prevent attacks targeting the lack of resources and rate-limiting vulnerability:
User authentication and authorization
Attackers typically leverage authentication and authorization flaws to submit requests with misconfigured HTTP headers for unrestricted access. API developers and security teams should collaborate to enforce proper authorization mechanisms that ensure only legitimate users can submit requests. Appropriate authorization approaches prevent malicious users from altering requests or accessing sensitive content.
Some recommended approaches for authorization and authentication mechanisms to protect APIs from rate-limiting attacks include:
- Function level access control
- Authentication tokens/access tokens
- Complex access control policies
- Multi-Factor authentication
Role-Based Access Control
Role Based Access control (RBAC) is crucial for API security compliance as it helps implement robust authorization boundaries to enforce access rights of entities based on roles within the organization. RBAC also simplifies the implementation of user authentication and authorization while administering focused authorization approaches to protect API resources across all stages of an API lifecycle.
API Security Suites
API security suites are toolkits that secure API traffic through security policies, API design best practices, and vulnerability scanning. These toolkits automate API security processes to prevent abuse of an API endpoint and malicious access to content. Crashtest Security Suite is one such platform that helps security teams protect web applications and APIs through automated API penetration testing and vulnerability scanning to debug endpoints. The security platform offers accurate reports on vulnerabilities, with remediation advice to quickly eliminate security blind spots.
To know more about how Crashtest Security can help quickly assess the vulnerability of your APIs and application stack, try a 14-day, free demo here.
FAQs
Besides API4: 2019, what are the other top 10 API security vulnerabilities?
According to the OWASP API Top 10 of 2019, vulnerabilities that cause the most common security issues with APIs include:
- Broken object-level authorization checks
- Broken authentication
- Excessive data exposure
- Broken function level authorization
- Mass assignment
- Security misconfiguration
- Injection flaws
- Improper assets management
- Insufficient logging & monitoring
- Unsecure default configurations
How would you test for lack of resources and Rate Limiting?
API traffic logs are one of the most effective tools to identify the lack of resource and rate-limiting vulnerability. Traffic logs also provide auditing capabilities of API traffic by recording all critical events registered on the API endpoint. These logs save historical traffic metadata that offer insightful details of rate limits and APIs from request patterns.