CWE-405: Asymmetric Resource Consumption (Amplification)
Learn about CWE-405 (Asymmetric Resource Consumption (Amplification)), its security impact, exploitation methods, and prevention guidelines.
What is Asymmetric Resource Consumption (Amplification)?
• Overview: Asymmetric Resource Consumption (Amplification) is a security vulnerability where an attacker can cause a system to use excessive resources disproportionate to the attacker's effort or authorization level. This often results in resource exhaustion and degraded performance.
• Exploitation Methods:
- Attackers exploit this vulnerability by making the system perform expensive operations with minimal input or effort.
- Common attack patterns include sending malformed requests, leveraging recursive calls, or exploiting poorly optimized algorithms to consume CPU, memory, or bandwidth.
• Security Impact:
- Direct consequences include resource exhaustion, denial of service, and degraded system performance.
- Potential cascading effects involve system crashes, affecting other services or applications dependent on the compromised system.
- Business impact can include loss of revenue, customer dissatisfaction, and damage to reputation due to system downtime or performance issues.
• Prevention Guidelines:
- Specific code-level fixes include implementing input validation, rate limiting, and resource quotas to manage resource allocation effectively.
- Security best practices involve conducting thorough code reviews, performing regular performance testing, and designing algorithms to handle resource-intensive operations efficiently.
- Recommended tools and frameworks are those that offer monitoring and alerting capabilities, such as application performance monitoring (APM) tools, to detect anomalous resource usage patterns early.
Corgea can automatically detect and fix Asymmetric Resource Consumption (Amplification) in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit: Not specified
Affected Languages: Not Language-Specific
Affected Technologies: Not Technology-Specific, Client Server
Vulnerable Code Example
from flask import Flask, request
app = Flask(__name__)
@app.route('/amplify', methods=['POST'])
def amplify():
# Vulnerable to Asymmetric Resource Consumption (Amplification)
# An attacker can send a small request to initiate a large resource consumption
# by providing a large multiplier value, leading to excessive memory usage.
data = request.json
multiplier = data.get('multiplier', 1)
# Returns a large amount of data based on the multiplier
response_data = "A" * (multiplier * 1000000)
return response_data
if __name__ == '__main__':
app.run()
How to fix Asymmetric Resource Consumption (Amplification)?
To fix this vulnerability, we need to implement input validation and limits on the resources that can be requested or consumed by a client. This involves:
- Input Validation: Ensure that inputs are within an acceptable range and are of the expected type.
- Resource Limitation: Set upper bounds on the resources that can be consumed, regardless of the input.
- Authentication and Authorization: Limit the endpoints' access to authenticated and authorized users, where appropriate, to prevent abuse by anonymous users.
Applying these principles ensures that an attacker cannot exploit the system to consume excessive resources without proper authorization or investment.
Fixed Code Example
from flask import Flask, request, jsonify
app = Flask(__name__)
@app.route('/amplify', methods=['POST'])
def amplify():
data = request.json
multiplier = data.get('multiplier', 1)
# Fix: Validate that the multiplier is an integer and within a safe range
if not isinstance(multiplier, int) or multiplier < 1 or multiplier > 10:
return jsonify({"error": "Invalid multiplier value"}), 400
# Limit the response size to prevent excessive resource consumption
response_data = "A" * min(multiplier * 1000, 10000)
return response_data
if __name__ == '__main__':
app.run()
In this fixed version, we have added input validation to ensure that the multiplier is an integer and within a safe range (1 to 10). Additionally, we've capped the maximum response size to 10,000 characters, preventing excessive resource consumption. This effectively mitigates the risk of asymmetric resource consumption attacks.