OWASP API Top 10 Explained: Unrestricted Resource Consumption

Unrestricted Resource Consumption is when a hacker bombards an API with excessive requests, overwhelming it or causing service lockouts. Instead of being blocked after a few failed attempts, the hacker has unlimited tries until they breach the system, accessing sensitive data.

This happens when there are insufficient safeguards in place, such as timeouts, limits on file uploads, or controlling the number of API client requests. The most common result is a Denial of Service (DoS) attack, where the system crashes under the strain of too many requests. However, it can also lead to data leaks and authentication breaches.

In 2023, there was a surge in such attacks, with Cloudflare handling over 26 trillion requests and thwarting 5.2 million attacks. Despite a recent decrease in numbers, the rise of AI tools may cause a resurgence in 2024.

For instance, T-Mobile suffered a massive data breach affecting 30 million customers due to a lack of rate limiting on an API endpoint, resulting in hefty legal consequences.

To tackle these challenges and strengthen their defenses against unrestricted resource consumption, organizations should implement measures such as rate limiting, input validation, and load balancing in their cloud application environment.

In summary, Unrestricted Resource Consumption poses a significant threat, causing service disruptions, data breaches, and financial losses. To safeguard against these attacks, organizations must adopt robust security measures and leverage specialized tools from vendors that focus specifically on AppSec.

This is the 4th blog post in a 10-part series on the OWASP API Security Top 10. Below are links to the prior posts.?

API1: Broken Object Level Authorization

API2: Broken Authentication

API3: Broken Object Property Level Authorization (Excessive Data Exposure + Mass Assignment)