Guides
API4:2023 - Unrestricted Resource Consumption
This is a vulnerability that happens when the user input is passed directly to the operation without any verification thefore the user can manipulate the actions he wants to perform
Understanding why this vulnerability exists
The reason this security risk exists is due to no rate limiting controls set on our API routes. This means if an attacker targets our vulnerable API route at http://kong.nonamesec.org/normal they could request it as many times as they please without being denied. The overwhelming number of requests could cause resource consumption to spike and even cause downtime while processing unlimited requests.
Real World Examples
Example 1: Login Brute Force Attack
Intended use of login endpoint:
POST /api/login
Content-Type: application/json
{
"username": "user@example.com",
"password": "correctPassword123"
}
Malicious use without rate limiting:
# Attacker tries 10,000 password combinations
for password in $(cat password-list.txt); do
curl -X POST http://kong.nonamesec.org/normal/login \
-H "Content-Type: application/json" \
-d "{"username":"zack","password":"Password123"}"
done
Without rate limits, this attack could try thousands of passwords per minute until finding the correct one.
Example 2: Resource Exhaustion
An attacker floods the API with requests to exhaust server resources:
# Sending unlimited concurrent requests
while true; do
curl http://kong.nonamesec.org/normal/users &
done
This causes:
- CPU and memory consumption increase
- Service degradation for legitimate users
- Potential system crashes
What are the common methods to prevent Unrestricted Resource Consumption?
| Controls | Prevents Resource Exhaustion |
|---|---|
| Authentication | ❌ No |
| Authorization | ❌ No |
| Input validation | ❌ No |
| Rate limiting | ✅ Yes |
| Request throttling | ✅ Yes |
| Resource quotas | ✅ Yes |
Rate Limiting Strategies
Rate limiting controls the number of requests a client can make within a specific time window. Common strategies include:
Per-IP Rate Limiting:
Limit: 100 requests per minute per IP address
Per-User Rate Limiting:
Limit: 1000 requests per hour per authenticated user
Per-Endpoint Rate Limiting:
Login endpoint: 5 requests per minute
Data endpoint: 100 requests per minute
Search endpoint: 50 requests per minute
How did we actually remediated this in the current solution?
In this exercise where we are presenting an unsecure and secure API, we tried where possible to rely on Kong's API Gateway as the source of our protection. In this case for Unrestricted Resource Consumption, we managed to fully protect our endpoints using Kong's rate limiting capabilities without needing server-side changes.
Available Kong Plugins we utilized:
- https://developer.konghq.com/plugins/rate-limiting/ → Limits the number of requests per time window (minute, hour, day) based on IP, consumer, or credential
This configuration limits each client to 100 requests per minute and 1000 requests per hour. When limits are exceeded, the API returns a 429 Too Many Requests response, protecting our backend services from abuse while still allowing legitimate traffic to flow normally.