Welcome to Scribd!

Lack of Resource and Rate Limiting: Gavin Johnson-Lynn

Uploaded by

0% found this document useful (0 votes)

58 views16 pages

This document discusses resource and rate limiting vulnerabilities in APIs. It presents how lack of limits on resources like file uploads, password attempts, and database queries can strain servers and potentially cause denial of service. It recommends common defenses like throttling requests by user, limiting concurrent requests, and restricting things like file sizes, password attempts, and database query parameters through input validation.

Original Description:

Original Title

lack-of-resource-and-rate-limiting-slides

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

58 views16 pages

Lack of Resource and Rate Limiting: Gavin Johnson-Lynn

Uploaded by

Oluwaseun Ogunrinde

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 16

Search inside document

Lack of Resource and Rate Limiting

Gavin Johnson-Lynn
SOFTWARE DEVELOPER, OFFENSIVE SECURITY SPECIALIST

@gav_jl www.gavinjl.me
Overview Resources in an API
Abusing missing limits
Vulnerability impacts
Common defenses
Throttling requests
Simultaneous requests are expected
What Is It?
Each API request uses resources
Too many requests cause problems
Request Resources
Exploitability

Making requests is enough

Usually from authenticated users
Load test tools
- E.g. JMeter
- From a single machine
- From multiple machines
Large File Upload

Upload feature
Strain on resources
Disk space
Memory (RAM)
Password Brute Force

Incorrect password
- Several tries
- Is it really the user?

Unlimited guesses
- Automated tools
- Common password lists
Query Parameter Tampering

Request large amount

of records
Filter records
Page size
Complex database
queries
Query Parameter Tampering Attack

https://.../Content?page=2
1 &PageSize= 1000000
100

Response:
[
{record101…}
{record1…}
{record2…}
{record102…}
…
{record100}
{record999999…}
{record200}
]
Prevalence

Occurs in a variety of ways

Load testing
- Put API under load
- Highlight potential problems
Detectability

Common failure points

- Invalid passwords
- File uploads
- Data queries

Slow responses
Technical Impact

Denial of service (DoS)

Slow responses
Overwhelmed database
Denial of wallet
Defense – Rate Limiting

Request throttling
- Limit requests in a time period
- Error if exceeded – HTTP 429

Request throttling in the cloud

- Azure API management
- AWS API gateway

Authenticated users are easily throttled

Anonymous users can be harder
Defense – Authentication

Anonymous access to authentication

Limit number of login attempts
- 3-5 guesses before locking

Lock accounts
- Minimum should be minutes
- Maximum should be contact admin
Defense

File upload defense

- Config to limit request size
- Use caution if increasing

Paged query defense

- Works only when trusting user input
- NEVER trust use input!
- Validate maximum page size

Input validation on all fields from client

Presents in various ways
Consider how it presents in your API
Summary
Impact
- Slows down API
- DoS
- Denial of wallet

Defenses
- Limit resource impact
- Request throttling

How To Integrate ChatGPT (OpenAI) and PDF - Co
Document16 pages
How To Integrate ChatGPT (OpenAI) and PDF - Co
Kezo Jason
No ratings yet
Web Application Security Web Application Security Testing: Ir. Geert Colpaert, CEH 8 Oktober 2008
Document22 pages
Web Application Security Web Application Security Testing: Ir. Geert Colpaert, CEH 8 Oktober 2008
pooranisrinivasan85
No ratings yet
Writting A Letter of Recommendation
Document19 pages
Writting A Letter of Recommendation
Vince Vo
100% (6)
Web Application Security
Document65 pages
Web Application Security
jghc
No ratings yet
International Botnet and Iot Security Guide
Document57 pages
International Botnet and Iot Security Guide
strokenfilled
No ratings yet
Squid Proxy Server 3.1 Beginner's Guide
From Everand
Squid Proxy Server 3.1 Beginner's Guide
Kulbir Saini
Rating: 3 out of 5 stars
3/5 (1)
Referencing Styles - Northumbria University
Document4 pages
Referencing Styles - Northumbria University
Althaf Hussain
100% (1)
Report For Foophones: by Utkarsh Munra
Document37 pages
Report For Foophones: by Utkarsh Munra
suraj fb
No ratings yet
An Introduction To Penetration Testing
Document26 pages
An Introduction To Penetration Testing
Karel Goldmann
No ratings yet
ASP.NET Core Security
From Everand
ASP.NET Core Security
Christian Wenz
Rating: 5 out of 5 stars
5/5 (1)
Vulnerabilities in Modern Web Applications
Document34 pages
Vulnerabilities in Modern Web Applications
NiyasNazar
100% (1)
Source Code Review
Document37 pages
Source Code Review
cikgufatah
No ratings yet
CEH Lesson 5 - Web Server Hacking
Document25 pages
CEH Lesson 5 - Web Server Hacking
Louise Real
No ratings yet
Category Sub-Category Status: Pre-Scan Analysis
Document53 pages
Category Sub-Category Status: Pre-Scan Analysis
Vusra
No ratings yet
Datasheet HTML CSS JS
Document14 pages
Datasheet HTML CSS JS
Emilia Poletti
No ratings yet
NMCSP 2008 Batch-I: Web Application Vulnerabilities
Document56 pages
NMCSP 2008 Batch-I: Web Application Vulnerabilities
Jitendra Kumar Dash
No ratings yet
Owasp Top10 and Security Flaws
Document60 pages
Owasp Top10 and Security Flaws
Andy Willams
No ratings yet
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
Document33 pages
The Top 10 Security Weakness (Vulnerabilities) in Web Applications (OWASP Top 10)
Rushit D. Brahmbhatt
100% (1)
Web Security Interview Question
Document34 pages
Web Security Interview Question
arunika pal
No ratings yet
Web Application Security
Document25 pages
Web Application Security
Nipun Verma
No ratings yet
Web Application Security Adithyan AK
Document64 pages
Web Application Security Adithyan AK
HAMDAN ALI
No ratings yet
Web Security Interview Question
Document8 pages
Web Security Interview Question
venkat1034
No ratings yet
Workshop SCA and WebInspect-April-04062016
Document193 pages
Workshop SCA and WebInspect-April-04062016
Rogério Almeida
No ratings yet
4.1 Web Application Vulnerabilities - OWASP - ZSS
Document20 pages
4.1 Web Application Vulnerabilities - OWASP - ZSS
Dhairya Thakkar
No ratings yet
Web Penetration Testing with Kali Linux - Second Edition
From Everand
Web Penetration Testing with Kali Linux - Second Edition
Ansari Juned Ahmed
No ratings yet
PHP Microservices
From Everand
PHP Microservices
Carlos Pérez Sánchez
Rating: 3 out of 5 stars
3/5 (1)
Improper Assets Management: Gavin Johnson-Lynn
Document16 pages
Improper Assets Management: Gavin Johnson-Lynn
Oluwaseun Ogunrinde
No ratings yet
Lezione Argiolu - Master Roma3!3!12-2010 - Application Security - Intro
Document41 pages
Lezione Argiolu - Master Roma3!3!12-2010 - Application Security - Intro
WB_Yeats
No ratings yet
Web Portals, Gateway To Information
Document35 pages
Web Portals, Gateway To Information
may_ank09
No ratings yet
Webappsec Intro
Document25 pages
Webappsec Intro
somendas
No ratings yet
Traffic Shield: Rainer Singer
Document30 pages
Traffic Shield: Rainer Singer
New Comers
No ratings yet
Web Application Attack - Eryk Budi Pratama
Document24 pages
Web Application Attack - Eryk Budi Pratama
Arc Daisy
No ratings yet
Application Penetration Testing: Presentation By: Nancy Cohen
Document21 pages
Application Penetration Testing: Presentation By: Nancy Cohen
Aaaja Re
No ratings yet
02 Preventing Web App Hacking
Document31 pages
02 Preventing Web App Hacking
anil
No ratings yet
Chapter 05 - Application Attacks - Handout
Document59 pages
Chapter 05 - Application Attacks - Handout
Wayne Wayne
No ratings yet
Mitigating Malware: Collin Jackson CS142 - Winter 2009
Document31 pages
Mitigating Malware: Collin Jackson CS142 - Winter 2009
bukantito
No ratings yet
9 Ways To Hack A Web Application
Document48 pages
9 Ways To Hack A Web Application
dn5jg
No ratings yet
Database Security: Is Your Data Vulnerable?: Presented By: Mary R.Sweeney
Document24 pages
Database Security: Is Your Data Vulnerable?: Presented By: Mary R.Sweeney
Pham Hieu
No ratings yet
Web Application Hacking Penetration Testing 5 Day Hands On Course Syllabus v2.0 New
Document8 pages
Web Application Hacking Penetration Testing 5 Day Hands On Course Syllabus v2.0 New
strokenfilled
No ratings yet
Lecture 15 - Web Security: CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
Document14 pages
Lecture 15 - Web Security: CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
Arpit Gupta
No ratings yet
Defending Against Dos
Document51 pages
Defending Against Dos
Alberto Garcia
No ratings yet
Indusface WAS Premium - Advanced Systems Co. LTD
Document12 pages
Indusface WAS Premium - Advanced Systems Co. LTD
shadab umair
No ratings yet
PD I 2015 Web Application Security
Document46 pages
PD I 2015 Web Application Security
Munirul Ula PhD
No ratings yet
Programming For Security
Document25 pages
Programming For Security
aloshbennett
No ratings yet
Security+ Notes Alan Raff
Document6 pages
Security+ Notes Alan Raff
Pala
No ratings yet
Hacking Web Applications
Document5 pages
Hacking Web Applications
Deandryn Russell
No ratings yet
Day12 Client Side Attacks
Document65 pages
Day12 Client Side Attacks
Sheharyar Awan
No ratings yet
Google App Engine
Document14 pages
Google App Engine
percybhai031
No ratings yet
Software Vulnerabiliites
Document95 pages
Software Vulnerabiliites
Bhoomi
No ratings yet
Security Control Assessment Yes/No
Document11 pages
Security Control Assessment Yes/No
sashi
No ratings yet
2023 08 03 ZAP Report
Document58 pages
2023 08 03 ZAP Report
Quang Hà Đặng
No ratings yet
Network Security Part 1
Document85 pages
Network Security Part 1
amolmh
No ratings yet
ISF Presentation Jan 29 DD
Document40 pages
ISF Presentation Jan 29 DD
sudeepjm
No ratings yet
10a - Web Security
Document14 pages
10a - Web Security
Alif Faisal
No ratings yet
Pen Testing: Khuda Bux (PHD Computing) CMS# 29322 Jebraeel Amin (MS) CMS# 20991
Document18 pages
Pen Testing: Khuda Bux (PHD Computing) CMS# 29322 Jebraeel Amin (MS) CMS# 20991
Jabrail Amin
No ratings yet
02lec - 10 OWASP Vulnerabilities (1) (6 Files Merged)
Document153 pages
02lec - 10 OWASP Vulnerabilities (1) (6 Files Merged)
manju kakkar
No ratings yet
Introduction To Web Penetration Testing
Document60 pages
Introduction To Web Penetration Testing
matthieucolle1
No ratings yet
Unit 1 Web Appln Security Prinicples PDF
Document140 pages
Unit 1 Web Appln Security Prinicples PDF
Venkateswara Gupta P
No ratings yet
Web App Pentesting Checklist
Document3 pages
Web App Pentesting Checklist
clcik
No ratings yet
Vuln Scan
Document12 pages
Vuln Scan
Brijendra Pratap Singh
No ratings yet
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Document49 pages
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Akki ash
No ratings yet
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Document49 pages
Web Application Security: ISACA Bangalore Chapter Aug 2007 Runa Dwibedi
Akki ash
No ratings yet
Automating Security Tests With Selenium: by Brady Vitrano & Charles Neill Presented To OWASP San Antonio March 20th, 2015
Document27 pages
Automating Security Tests With Selenium: by Brady Vitrano & Charles Neill Presented To OWASP San Antonio March 20th, 2015
Abhinandan
No ratings yet
DBSecurity-Overview - New
Document49 pages
DBSecurity-Overview - New
Akhilesh [MAVIS] Pokale
No ratings yet
Why - Ethical Hacking: Social Engineering Automated Attacks Protection From Possible External Attacks
Document14 pages
Why - Ethical Hacking: Social Engineering Automated Attacks Protection From Possible External Attacks
faiza
No ratings yet
Requirement 6 Continued Security in Software Development Slides
Document41 pages
Requirement 6 Continued Security in Software Development Slides
Oluwaseun Ogunrinde
No ratings yet
Excessive Data Exposure: Gavin Johnson-Lynn
Document13 pages
Excessive Data Exposure: Gavin Johnson-Lynn
Oluwaseun Ogunrinde
No ratings yet
Deloitte Rise of The Chief Digital Officer PDF
Document24 pages
Deloitte Rise of The Chief Digital Officer PDF
Bloom Vibe
No ratings yet
Requirement 5 Anti Virus and Anti Malware Slides
Document23 pages
Requirement 5 Anti Virus and Anti Malware Slides
Oluwaseun Ogunrinde
No ratings yet
Mutillidae
Document1 page
Mutillidae
Oluwaseun Ogunrinde
No ratings yet
Copy Prices
Document8 pages
Copy Prices
Oluwaseun Ogunrinde
No ratings yet
2020 Trustwave Global Security Report
Document60 pages
2020 Trustwave Global Security Report
Oluwaseun Ogunrinde
No ratings yet
2020 Trustwave Global Security Report
Document60 pages
2020 Trustwave Global Security Report
Oluwaseun Ogunrinde
No ratings yet
Workbook
Document58 pages
Workbook
goldenvrg
No ratings yet
Publicschoolphon 00 Unse
Document68 pages
Publicschoolphon 00 Unse
amiveluv
No ratings yet
Robots
Document1 page
Robots
Oluwaseun Ogunrinde
No ratings yet
Module For English Enhancement
Document36 pages
Module For English Enhancement
Pogi Medino
100% (1)
Eurípides Medea Loeb PDF
Document533 pages
Eurípides Medea Loeb PDF
Eliaspaxote
No ratings yet
Eet699 Writing Test
Document20 pages
Eet699 Writing Test
NurFatihah Nadirah Noor Azlan
No ratings yet
SCL Worksheet Week 1 Introduction To Comparison and Contrast Essay
Document5 pages
SCL Worksheet Week 1 Introduction To Comparison and Contrast Essay
Rashidah Hameed
No ratings yet
System Ex200
Document6 pages
System Ex200
ziblur
No ratings yet
Datasheet - Eve Single - 0
Document10 pages
Datasheet - Eve Single - 0
IL
No ratings yet
???welcome To The Oppai Squad
Document8 pages
???welcome To The Oppai Squad
Azewas Asyraf
No ratings yet
A Moving Target Defense Approach To Disrupting Stealthy Botnets
Document10 pages
A Moving Target Defense Approach To Disrupting Stealthy Botnets
Kombe Bom
No ratings yet
Exam Registration Tutorial PDF
Document9 pages
Exam Registration Tutorial PDF
MP Ik
No ratings yet
CCSK Course Outlines PDF
Document5 pages
CCSK Course Outlines PDF
Pooja Sachdeva
No ratings yet
Communication L2 Error Checking and Correction
Document18 pages
Communication L2 Error Checking and Correction
Nouman Shamim
No ratings yet
Oracle Form Personalization
Document84 pages
Oracle Form Personalization
setikazam
No ratings yet
MIL Reviewer Cheat Sheet: by Via
Document2 pages
MIL Reviewer Cheat Sheet: by Via
Lyka Lorraine Olegario
No ratings yet
BUS 500 Draft Portfolio
Document18 pages
BUS 500 Draft Portfolio
farjana taslim
No ratings yet
RW 7400 8008
Document4 pages
RW 7400 8008
Amos Goldman
No ratings yet
Security Other Mcqs Bet
Document3 pages
Security Other Mcqs Bet
Saad
No ratings yet
Emtech q1 Module Full
Document72 pages
Emtech q1 Module Full
Marlyn Guiang
No ratings yet
AWS Course Contents
Document4 pages
AWS Course Contents
tekula akhil
No ratings yet
CPR - Corebook - Cyberpunk Red v121.pdf: Once You Upload An Approved Document, You Will Be Able To Download The Document
Document2 pages
CPR - Corebook - Cyberpunk Red v121.pdf: Once You Upload An Approved Document, You Will Be Able To Download The Document
akjhwdkwdh
No ratings yet
Malacious Software
Document54 pages
Malacious Software
Narender Kumar
No ratings yet
An Introduction To Graphql and Rubrik
Document14 pages
An Introduction To Graphql and Rubrik
missspeciala3
No ratings yet
Leave Management User Guide
Document15 pages
Leave Management User Guide
MUHAMMAD SANI
No ratings yet
Freshworks FRSHW 30900 8 Dec 2020 8 13 55 Signed PDF
Document3 pages
Freshworks FRSHW 30900 8 Dec 2020 8 13 55 Signed PDF
Nader Gadallah
No ratings yet
18-08-Todoist Setup Guide
Document14 pages
18-08-Todoist Setup Guide
Nick
No ratings yet
Release Notes: Grid Solutions
Document66 pages
Release Notes: Grid Solutions
RONALD
No ratings yet
Jemal Hassen
Document131 pages
Jemal Hassen
wsdwqrfasfa
No ratings yet