The API is not protected against an excessive amount of calls or payload sizes. Attackers can use this for Denial of Service (DoS) and authentication flaws like brute force attacks.
Use case
- Attackers overload the API by sending more requests than they can handle.
- Attackers send requests at a rate exceeding the API’s processing speed, clogging it up.
- The size of the requests or some fields in them exceeds what the API can process.
- โZip bombsโ, archive files that have been designed so that unpacking them takes an excessive amount of resources and overloads the API.
How to prevent
- Define proper rate limiting.
- Limit payload sizes.
- Tailor the rate limiting to match what API methods, clients, or addresses need or should be allowed to get.
- Add checks on compression ratios.
- Define limits for container resources.
Full OWASP API Security Top 10 2023 list
Full OWASP API Security Top 10 2019 list
