OWASP API Top 10:2023 – Unrestricted Resource Consumption
While modern applications offer user-friendly interfaces, the APIs behind these interfaces do more than just transfer data; they also use many critical resources such as network bandwidth, CPU power, memory, storage space, and even third-party services. The uncontrolled consumption of these resources is a serious security vulnerability that directly affects both service continuity and operating costs. Unrestricted Resource Consumption, which ranks fourth on the OWASP API Top 10:2023 list, is at the top of such risks. In the fourth part of our series, we take a detailed look at this issue.
This type of vulnerability arises when there are no limits or control mechanisms in place to regulate how much resources API requests can consume. In other words, if users are not prevented from running multiple or costly operations in succession, the system becomes vulnerable in terms of both performance and cost. This situation may often go unnoticed during load testing or in real user traffic; however, for attackers, it is a direct way to slow down or shut down the system.
In real life, this vulnerability can manifest itself in different ways. For example, if an identity verification service sends SMS-based OTPs and no rate limit is applied to this process, an attacker can send hundreds of OTP requests in seconds, multiplying the cost of SMS services and slowing down the system. In another example, if the file upload endpoint does not perform maximum size checks, an attacker can fill up storage space in a short time by uploading very large files. Similarly, if there are no date range restrictions in the reporting API, an attacker can run massive data queries spanning years, pushing CPU usage to 100%. Furthermore, if there is no brute force protection in the login endpoint, numerous password attempts can strain the authentication infrastructure and unnecessarily consume third-party services in the background.
The dangerous aspect of this vulnerability is that it is often not visible in the interface. Users may not notice it while using the application’s normal functions; however, a malicious actor could use automated tools or scripts to send highly intensive or costly requests to the API. Such attacks can not only cause the service to stop but also lead to unexpected bills, exceeding third-party service quotas, and severely compromising the customer experience.
The way to protect against this type of vulnerability is to incorporate source management awareness into both the design and testing processes. Limits should be set for each endpoint based on requests, users, and time intervals; rate limiting, throttling, and quota management mechanisms should be implemented. File upload sizes should be limited, queries should be optimized, and predefined quotas should be set for costly operations. Daily or monthly usage limits should be set for third-party services, and asynchronous job queues should be kept under control. In addition, repetitive authentication attempts such as brute force should also be included in this scope, and numerical limits and additional verification steps should be added to login attempts.
Of course, a robust testing process is also an integral part of this security. It is necessary to perform load testing on the API with different scenarios, simulate large file uploads, heavy queries, and brute force authentication attempts, and observe how these operations affect system resources. This process can be supported by manual testing or can be carried out continuously and automatically using tools such as Postman, JMeter, and APIStrike.
The key principle to remember is this: determining how much resources to allocate to your API is just as important as defining when not to allocate resources, as this is critical for security. The absence of controls over resource consumption creates an opportunity for attackers to both disrupt your system and increase your costs. Therefore, resource management and throttling are critical security layers that must not be overlooked in modern API architectures.
Apifort, a local solution, addresses this exact need.
By monitoring requests to your APIs in real time, it helps minimize both performance loss and cost risks.
In the next part of our series, we will continue this security journey together by addressing the other vulnerabilities in the OWASP API Top 10 list.
