Professional Documents
Culture Documents
Gavin Johnson-Lynn
SOFTWARE DEVELOPER, OFFENSIVE SECURITY SPECIALIST
@gav_jl www.gavinjl.me
Overview Resources in an API
Abusing missing limits
Vulnerability impacts
Common defenses
Throttling requests
Simultaneous requests are expected
What Is It?
Each API request uses resources
Too many requests cause problems
Request Resources
Exploitability
Upload feature
Strain on resources
Disk space
Memory (RAM)
Password Brute Force
Incorrect password
- Several tries
- Is it really the user?
Unlimited guesses
- Automated tools
- Common password lists
Query Parameter Tampering
https://.../Content?page=2
1 &PageSize= 1000000
100
Response:
[
{record101…}
{record1…}
{record2…}
{record102…}
…
{record100}
{record999999…}
{record200}
]
Prevalence
Slow responses
Technical Impact
Request throttling
- Limit requests in a time period
- Error if exceeded – HTTP 429
Lock accounts
- Minimum should be minutes
- Maximum should be contact admin
Defense
Defenses
- Limit resource impact
- Request throttling