Business Logic / Number of Times a Function Can Be Used Limits

Description

Number of Times a Function Can Be Used Limits is an IT vulnerability of the category Business Logic. This vulnerability is identified in the Common Weakness Enumeration (CWE) directory as CWE-843. According to the Open Web Application Security Project (OWASP) Testing Guide, this vulnerability occurs in Web and API applications when the number of times a function can be called is limited. This vulnerability can be exploited by malicious actors who can use the function multiple times to cause a denial of service (DoS) attack or other malicious activity.

Risk

The risk of the vulnerability is assessed as medium. If exploited, it can cause DoS attack which can lead to a complete system outage or data leak. In addition, attackers can use the vulnerability to gain access to restricted resources or sensitive information.

Solution

The solution to this vulnerability is to set a proper limit on the number of times a function can be called. This can be done by setting a limit in the code so that the function can only be called a certain number of times before it is blocked. Additionally, proper logging of the function calls should be enabled to monitor the number of times it is called.

Example

The following code example is taken from the CVE directory (CVE-2018-12521). This code shows a function with a limited number of executions.

int num_executions = 0;
void foo() {
  if (num_executions >= MAX_EXECUTIONS) {
    return;
  }
  num_executions++;
  // Other code
}