Availability / Unrestricted Resource Consumption

Unrestricted Resource Consumption is an API vulnerability that occurs when the usage of resource is not sufficiently limited, causing excessive usage of resources. Such resources can include CPU, memory or network bandwidth. Furthermore, API services of third-parties can be resources, which may have a cost per usage or may have a limit themselves, for example SMS/phone call, database, AI or computation services. The OWASP project references this vulnerability in their API Security Top 10 list. Additionally it may be classified under CWE-770, CWE-400 or CWE-799.

This vulnerability may limit the resources available to other users, or even cause a denial of service. Additionally, it can cause high costs if external API integrations require payment per use, or may use up a spending limit, if set.

A solution to this vulnerability is to limit the usage of the affected resources. For example:

• Rate limiting of requests
• Limit of resource usage per customer and time period
• Size limit for inputs of all kinds of data types (e.g. files, strings, arrays, ...).
• Configure spending limits or billing alerts for external APIs.