Unrestriced Resource Consumption

Unrestricted Resource Consumption occurs when an application allows users to consume excessive amounts of system resources (e.g., CPU, memory, bandwidth) without proper limits or controls.

This can lead to Denial of Service (DoS) attacks, server crashes, or performance degradation, impacting the availability and stability of the application or system.

Implement resource limits and quotas for users or requests, use rate limiting and throttling to control resource usage, and monitor system performance to detect and address excessive resource consumption.

The below example is based on HTB's API Attacks module.

Lack of limiting user-initiated requests that consume resources can lead to DoS attacks (Figure 1) as well as BF attacks (Figure 2).

Figure 1: A potentlally-vulnerable to Uncontrolled Resource Consumption endpoint.

# Creating a 30 megabytes PDF file
$ dd if=/dev/urandom of=certificateOfIncorporation.pdf bs=1M count=30
30+0 records in
30+0 records out
31457280 bytes (31 MB, 30 MiB) copied, 0.0632942 s, 497 MB/s

$ ls -l
-rw-r--r-- 1 x7331 x7331 31457280 Jul 11 09:18 certificateOfIncorporation.pdf

Figure 2: Uploading the PDF file.

There are three main issues here:

1. The backend does not validate that the file size is within a specified size and since there are no rate-limiting measures, an attacker can consume all the marketplace's disk storage.

2. There is no check of the file extension or content, which means we can uploiad any file type we want.

3. The uploaded files are stored within the wwwroot directory. The web API is developed using ASP.NET Core which means that the static files within wwwroot are publicly accessible.

Figure 3: Performing a BFA for the user's email due to lack of rate-limiting measures.