Learn how to compromise an API like a pro by leveraging the Lack of Resources and Rate Limiting!

Introduction

Most of the OWASP API Security Top 10 list is crowded with Authorization issues. So I think it's important to know the difference between Authentication & Authorization.

If you already know it, then read on. Else, stop by and check this post out on Authentication and Authorization for Dummies:

Authentication and Authorization for Dummies

A much needed post on clearing these fundamental concepts and helping in setting up an analogy that you’d never forget!

medium.com

Why these posts?

I think it must be clear now that traditional web applications security is being matched up with the newer paradigm where APIs are ruling the world.

So the goal with these posts would be to share all you need to up your API Security game and develop a pentesting methodology.

If that sounds like something up your alley, then stick along with me and we will learn all the methodology for pentesting APIs.

Lack of Resources and Rate Limiting

As the name suggests, this vulnerability happens when the server doesn't has enough resources to satisfy the requests of all the users or has missing rate limits.

Now a server might have adequate resources to satisfy user requests but let's say that a malicious user makes the server do more work like pulling 1000s of records which are both memory and CPU intensive, let's say. Then too the resource constraint would be there right.

And that's where this vulnerability happens.

Example Scenario

Say I have an account at e-shoppe.com and wish to login to my account. Upon login, I receive an OTP (because I am a security aware person, so I have 2FA enabled).

[A few seconds later…]

I receive back the OTP. It's a 4-digit OTP — all numbers.

Now my spider-sense tells me to maybe try sending multiple requests and see if I can guess the OTP.

So I wrote a Python script (because who doesn't loves it) and send a lot of concurrent requests to the API.

A moment later, I discovered that the script had successfully found the correct OTP and the website happily accepted it. That was fun and it was the lack of rate limiting that led to this attack!

I believe that you now understand this vulnerability (let's call it LoReaRL for the sake of brevity). So let's jump on to the methodology which is the primary focus for these posts.

If you think that you understand it well, then read on. If not, then it would be quite helpful to learn it first. Else you will be missing on some things…

One great source that immediately comes to my mind is (you guessed it!) is the OWASP's crAPI.

Pentesting Methodology

Now you understand LoReaRL well. Let's see how can we hunt for this issue. And more importantly how can we escalate it!

Now depending on the application, what you would do is: Identify the API endpoints that do not enforce any rate-limits or accept user-input blindly and generate some heavy response based on that.

This would be the most important thing. Because once you know which all APIs are the possible suspects, then we can proceed with the exploitation, a.k.a the fun part.

In order to hunt for these issues, try doing the following to locate the (potentially) vulnerable APIs:

  1. For an API that accepts user image, upload a very large file: 1–2 GB worth of content, and see if the backend API happily accepts it.
  2. For an API fetching a number of records depending on user input (Ex: get the content of 100 posts or last 100 commits), see if you can request an unreasonable amount of records containing a huge data, in turn taking up a lot of resources on the backend to serve this request.
  3. For an API see if you can send a lot of requests in a short time period. This would indicate that there are missing rate-limit checks.

Sweet! Now you would have known of all the vulnerable APIs, the next step would be the exploitation.

Exploitation

  1. For APIs which can accept a large file or a large user input, see if the page that loads the supplied data (like the uploaded image) is slow(ish)?
  2. For APIs that return a large set of records, see if the server becomes slow for other requests sent at the same time?
  3. If the is no rate-limiting on the API, then see if you could send a lot of login requests to get into an account. Else too see if you can make the server unresponsive (ofcourse this must not be done unless explicitly stated in the pentesting scope).
  4. In either case, congrats yourself since you found out an LoReaRL vulnerability! Enjoy, have fun, buy some bitcoins, start a company, go for a vacation from the bounty money or just read on…
  5. If it didn't worked, then worry not, look for the next issue — that is —Broken Function Level Authorization, which is the subject of our next post.

Closing Thoughts

I hope that you now understand and are able to exploit Lack of Resources and Rate Limiting vulnerabilities right when you see one!

Feel free to spread this article so that more folks can learn about hunting for rate limiting related issues and API security in general.

Note: If you would like to get a pentest or source code review of your web/mobile apps and APIs, and see how really secure they are, feel free to DM me on LinkedIn or check out my pentesting services. If you know someone who might find value in my work, please refer me. Your support is great appreciated.

Until next time, keep learning and happy hacking!