API 04:2019 โ€” Lack of resources and rate limiting


The API is not protected against an excessive amount of calls or payload sizes. Attackers can use this for Denial of Service (DoS) and authentication flaws like brute force attacks.

Bombing the API with too many requests or too big payloads can make the API crash, possibly with unexpected results.

Use case

  • Attackers overload the API by sending more requests than they can handle.
  • Attackers send requests at a rate exceeding the API’s processing speed, clogging it up.
  • The size of the requests or some fields in them exceeds what the API can process.
  • โ€œZip bombsโ€, archive files that have been designed so that unpacking them takes an excessive amount of resources and overloads the API.

How to prevent

  • Define proper rate limiting.
  • Limit payload sizes.
  • Tailor the rate limiting to match what API methods, clients, or addresses need or should be allowed to get.
  • Add checks on compression ratios.
  • Define limits for container resources.

Full OWASP API Security Top 10 2023 list

Full OWASP API Security Top 10 2019 list