AppSec Blog

Top 25 Series - Rank 22 - Allocation of Resources Without Limits or Throttling

A number of years ago I was conducting a black box test of a fairly large web application. As part of this testing I used an automated script to send malicious inputs to a number of forms on the site in question. I sent a lot of requests. Turned out that, under the covers, the form would send an email to a customer service representative every time it was submitted. The poor CSR got to work in the morning and had thousands of emails in his inbox. Fortunately, my testing didn't DoS the site (although it probably did DoS the CSR), but it's this type of situation that is covered by CWE-770.

If you have functionality in your application that can lead to some form of resource exhaustion you should define requirements that set limits on the number of resources that can be used. This can be implemented in the application itself or potentially with a WAF. Has anyone used a WAF for such a purpose?

Post a Comment


* Indicates a required field.