The API is not protected against an excessive amount of calls or payload sizes. Attackers can use this for Denial of Service (DoS) and authentication flaws like brute force attacks.
- Attackers overload the API by sending more requests than they can handle.
- Attackers send requests at a rate exceeding the API’s processing speed, clogging it up.
- The size of the requests or some fields in them exceeds what the API can process.
- “Zip bombs”, archive files that have been designed so that unpacking them takes an excessive amount of resources and overloads the API.
How to prevent
- Define proper rate limiting.
- Limit payload sizes.
- Tailor the rate limiting to match what API methods, clients, or addresses need or should be allowed to get.
- Add checks on compression ratios.
- Define limits for container resources.