CWE-400: Uncontrolled Resource Consumption
Learn about CWE-400 (Uncontrolled Resource Consumption), its security impact, exploitation methods, and prevention guidelines.
What is Uncontrolled Resource Consumption?
• Overview: Uncontrolled Resource Consumption (CWE-400) occurs when a software application fails to properly manage the allocation and use of limited system resources, such as memory, CPU, disk space, or network bandwidth.
• Exploitation Methods:
- Attackers can exploit this vulnerability by sending a large number of requests or data to exhaust system resources.
- Common attack patterns include Denial of Service (DoS) attacks, where attackers deliberately overwhelm system resources.
• Security Impact:
- Direct consequences of successful exploitation include system slowdowns, crashes, or complete unavailability of services.
- Potential cascading effects can lead to data loss, corruption, or failure of dependent systems.
- Business impact may involve loss of customer trust, financial losses due to downtime, and damage to company reputation.
• Prevention Guidelines:
- Specific code-level fixes include implementing resource limits and quotas, such as maximum memory usage or request rate limiting.
- Security best practices involve input validation, monitoring, and alerting for unusual resource consumption patterns.
- Recommended tools and frameworks may include rate limiting libraries, load testing tools, and application performance monitoring solutions.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
Certainly! I'll review and improve the code examples for CWE-400 (Uncontrolled Resource Consumption) while addressing the issues you've outlined. I'll ensure the examples are clear, realistic, and follow best practices.
const http = require('http');
http.createServer((req, res) => {
// This endpoint allows unlimited data to be sent in the request body,
// leading to potential uncontrolled resource consumption.
let body = '';
req.on('data', chunk => {
body += chunk; // Accumulates data in memory, vulnerable to large payloads
});
req.on('end', () => {
res.end('Data received');
});
}).listen(3000);
How to fix Uncontrolled Resource Consumption?
Handling incoming data streams without size limits can lead to uncontrolled resource consumption, potentially exhausting server memory and making it unresponsive. To address this vulnerability, implement size limits for incoming data and terminate connections that exceed the threshold.
Specific Fixes:
- Set a maximum data size limit on incoming requests.
- Terminate the connection if the limit is exceeded, conserving server resources.
Fixed Code Example
const http = require('http');
const MAX_BODY_SIZE = 1e6; // Set maximum body size to 1MB
http.createServer((req, res) => {
let body = '';
req.on('data', chunk => {
body += chunk;
if (body.length > MAX_BODY_SIZE) { // Check if body exceeds maximum size
res.writeHead(413, {'Content-Type': 'text/plain'}); // Send a 413 Payload Too Large status
res.end('Request Entity Too Large'); // Inform client of the issue
req.connection.destroy(); // Terminate connection if limit exceeded
}
});
req.on('end', () => {
if (body.length <= MAX_BODY_SIZE) {
res.end('Data received');
}
});
}).listen(3000);
By reading data in chunks and setting a maximum size limit, you mitigate the risk of resource exhaustion due to uncontrolled resource consumption. This approach ensures that your application remains responsive and stable even with large input sizes. Additionally, sending an appropriate HTTP status code informs the client of the reason for the termination, improving communication and debugging.