OWASP Tactical Access Defense Series: Unrestricted Resource Consumption

Unrestricted resource consumption occurs when an API does not adequately limit or control the consumption of its resources, such as CPU, memory, disk space, network bandwidth, or database connections. This lack of control can lead to resource exhaustion and denial of service (DoS) conditions.

In this article, we are going through API4 item from OWASP top 10 API Security risks exploring F5 BIG-IP Access Policy Manager (APM) role in our arsenal. 


Identify Vulnerable APIs

It's common to find APIs that do not limit client interactions or resource consumption. 

APIs can affect different backend endpoint resources: 

  • Control number of resources returned. 
  • Infer extra costs on service providers' business/pricing model.
  • exhuast resources CPU, memory, disk space or network connections. 

Common examples of this vulnerability: 

  • Allowing excessively large payloads in requests.
  • Permitting unbounded loops or deep recursion in API processing logic.
  • Lack of rate limiting, which could allow attackers to overwhelm the API with too many requests.
  • Insufficient control over the creation and management of server-side sessions.

Out of the Shadows: API Discovery and Security presents an incredible way to secure APIs via F5 Distributed Cloud (F5 XC). In our article we focus on access capabilities, which can be highlighted here in rate limiting the requests associated with a specific user/machine.

Mitigating Risks with BIG-IP APM


BIG-IP APM per-request granularity. With per-request granularity, organizations can dynamically enforce access policies based on various factors such as user identity, device characteristics, and contextual information. This enables organizations to implement fine-grained access controls at the API level, mitigating the risks associated with Unrestricted Resources Consumption.

 Key Features:

  1. Dynamic Access Control Policies: BIG-IP APM empowers organizations to define dynamic access control policies that adapt to changing conditions in real-time. By evaluating each API request against these policies, BIG-IP APM ensures that only authorized users can access specific resources and perform permitted actions.

  2. Granular Authorization Rules: BIG-IP APM enables organizations to define granular authorization rules that govern access to individual objects or resources within the API ecosystem. By enforcing strict authorization checks at the object level, F5 APM prevents unauthorized users from tampering with sensitive data or performing unauthorized actions.

  3. Apply rate limiting to APIs based on initiator identity, which provides a great way to protect while maintaining the service for legitimate users.


Related Content 

Published Jun 06, 2024
Version 1.0

Was this article helpful?

No CommentsBe the first to comment