Skip to content

Security Test: Security timeout

Description

Default Severity:

When an application doesn’t set suitable limits on how long a request can run, attackers can purposely send heavy or complex requests that take too long to process, tying up resources and potentially denying service to legitimate users. This issue usually happens when developers rely on arbitrary timeout thresholds that don’t necessarily match the real-world demands of the application, leading to a situation where even a single carefully crafted query can slow down or temporarily incapacitate the service. Being unaware of proper timeout settings or defaulting to ones that are too generous is a common pitfall, and it leaves the system open to abuse and performance degradation.

Reference:

Configuration

Identifier: frontend_resource_limitation/timeout

Examples

All configuration available:

checks:
  frontend_resource_limitation/timeout:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API7:2023
OWASP LLM Top 10 LLM04:2023
PCI DSS 6.5.10
GDPR Article-32
SOC2 CC1
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP AC-4
CWE 400
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
CVSS Score 7.2