Skip to content

Resource limiting bypass

Description

Resource limiting bypass occurs when a pagination or another limiting method has no upper limit and can create large responses or crash the server, causing a Denial Of Service.

Remediation

To remediate a resource limiting bypass vulnerability, follow these steps:

  1. Implement strict resource usage quotas and limits for users and processes.
  2. Regularly review and adjust the limits based on usage patterns and requirements.
  3. Use monitoring tools to detect unusual activity that could indicate an attempt to bypass resource limits.
  4. Apply rate limiting to prevent abuse of services and APIs.
  5. Ensure that all input validation checks are in place to prevent malicious input from triggering a bypass.
  6. Update the application and system software to the latest versions to patch known vulnerabilities.
  7. Conduct regular security audits and penetration testing to identify and fix potential bypass methods.
  8. Enforce the principle of least privilege by granting minimal access rights necessary for users and services.
  9. Use security mechanisms like Web Application Firewalls (WAFs) to detect and block exploit attempts.
  10. Educate users and administrators about the importance of adhering to resource usage policies.

GraphQL Specific

Apollo Implement strict pagination controls in Apollo server by setting a maximum limit for the number of records retrievable in a single request and enforce this limit within resolvers to prevent resource exhaustion and potential Denial of Service attacks.
Yoga Implement strict pagination controls in the Yoga framework by setting a maximum limit for the number of records that can be fetched in a single request. Additionally, enforce server-side checks to prevent clients from overriding these limits, thus avoiding large responses or potential server crashes due to resource exhaustion.
Awsappsync Implement strict pagination controls in AWS AppSync by setting maximum limits on the number of items returned in a single request and enforcing these limits within the GraphQL schema to prevent large responses or server overload.
Graphqlgo Implement query complexity analysis in GraphQLGo to prevent resource exhaustion. Set sensible defaults and maximum limits for query depths and returned object counts to avoid large responses or server crashes.
Graphqlruby Implement query complexity analysis in GraphQLRuby to ensure that the cost of a query does not exceed a predefined threshold, thus preventing excessively large queries that could lead to resource exhaustion or server crashes.
Hasura Implement strict query depth limits and cost analysis to prevent complex queries from overloading the Hasura engine, and enforce pagination with maximum page size limits to mitigate potential denial of service attacks.
Agoo Implement strict pagination limits and enforce maximum resource thresholds to prevent excessive data retrieval and potential server overload in the Agoo framework.
Ariadne Implement strict pagination limits and enforce maximum resource thresholds in the Ariadne framework to prevent resource limiting bypass and potential Denial of Service.
Caliban Implement strict pagination limits and enforce maximum resource allocation to prevent excessive data retrieval and potential server overload in the Caliban framework.
Dgraph Implement strict pagination limits and enforce maximum query depth to prevent resource exhaustion in Dgraph.
Dianajl Implement strict pagination limits in the dianajl framework engine to prevent excessive data retrieval and potential server overload.
Directus Implement strict pagination limits and enforce maximum resource thresholds in Directus to prevent resource limiting bypass and potential Denial of Service.
Flutter Implement server-side pagination with a maximum limit to prevent excessive data requests and ensure stable performance in the Flutter framework.
Graphene Implement strict pagination limits and enforce maximum query depth and complexity in the Graphene framework to prevent resource exhaustion and potential Denial of Service.
Graphqlapiforwp Implement strict pagination limits and enforce maximum query complexity in the GraphQL API to prevent resource exhaustion.
Graphqlgophergo Implement strict query depth and complexity analysis to prevent resource exhaustion in GraphQL queries.
Graphqljava Implement query complexity analysis and depth limiting in the GraphQL Java engine to prevent resource exhaustion and potential Denial of Service.
Graphqlphp Implement maximum query depth and complexity analysis to prevent overly complex or large queries in the GraphQLPHP framework.
Graphqlyoga Implement maximum query complexity and depth limits in GraphQL Yoga to prevent resource exhaustion and potential Denial of Service attacks.
Hypergraphql Implement strict pagination limits and enforce maximum query depth to prevent resource exhaustion in HyperGraphQL.
Jaal Implement strict pagination limits and enforce maximum resource thresholds to prevent excessive data retrieval and potential server overload in the Jaal framework engine.
Juniper Implement strict pagination limits and enforce maximum resource thresholds to prevent excessive data retrieval and potential server overload in the Juniper framework engine.
Lacinia Implement strict pagination limits and enforce maximum query depth and complexity in Lacinia to prevent resource exhaustion.
Lighthouse Implement strict pagination limits to prevent excessive data retrieval and potential server overload in the Lighthouse framework engine.
Mercurius Implement strict pagination limits and enforce maximum resource thresholds in the Mercurius framework to prevent resource limiting bypass and potential Denial of Service.
Morpheusgraphql Implement strict pagination limits and enforce maximum query depth and complexity in MorpheusGraphQL to prevent resource exhaustion and potential Denial of Service.
Qglgen Implement strict pagination limits in gqlgen to prevent resource exhaustion by setting a maximum value for items per page.
Sangria Implement a maximum limit on the number of results returned by queries in the Sangria framework to prevent resource exhaustion and potential Denial of Service.
Shopify Implement strict pagination limits and validate input parameters to prevent excessive data requests in the Shopify framework.
Stepzen Implement strict pagination limits and enforce maximum query depth to prevent resource exhaustion in the StepZen framework.
Strawberry Implement strict pagination limits and enforce maximum resource thresholds in the Strawberry framework to prevent resource limiting bypass and potential Denial of Service attacks.
Tartiflette Implement strict pagination limits and enforce maximum query depth and complexity in the Tartiflette engine to prevent resource exhaustion.
Wpgraphql Implement strict pagination limits and enforce maximum query depth in WPGraphQL to prevent resource exhaustion and potential Denial of Service.

REST Specific

Asp_net Implement server-side input validation to enforce strict pagination limits and use robust error handling to prevent users from requesting excessively large datasets that could lead to server strain or Denial of Service (DoS) conditions.
Ruby_on_rails Implement server-side pagination with strict upper limits and enforce them using ActiveRecord's `limit` and `offset` methods to prevent large or unbounded result sets that could lead to performance issues or Denial of Service.
Next_js Implement server-side checks to enforce pagination limits and validate user input to prevent excessively large data requests that could lead to a Denial of Service (DoS). Utilize Next.js API routes to control data fetching and ensure that the limits are respected.
Laravel Implement server-side checks in Laravel to enforce upper limits on pagination and other resource queries. Use Laravel's built-in pagination methods, such as 'paginate()', 'simplePaginate()', or 'cursorPaginate()', to automatically handle safe data fetching with sensible limits. Additionally, validate and sanitize all user inputs to prevent excessively large requests that could lead to a Denial of Service (DoS).
Express_js Implement middleware in Express.js to validate and enforce pagination limits, such as maximum page size, to prevent large responses or server overload.
Django Implement pagination with Django's Paginator class, set a reasonable default page size, and enforce a maximum page size limit to prevent large queries. Use Django's built-in query parameter validation to ensure users cannot bypass the limits.
Symfony Implement strict pagination controls in Symfony by using the 'setMaxResults' method from the Doctrine QueryBuilder to define an upper limit for query results. Additionally, validate and sanitize all user inputs for pagination to prevent excessively large data requests that could lead to a Denial of Service (DoS).
Spring_boot Implement server-side pagination with sensible defaults and maximum limits for page sizes, and enforce strict type checking on user-supplied parameters to prevent large or unexpected queries that could lead to a Denial of Service.
Flask Implement server-side checks to enforce maximum limits on pagination and request sizes within your Flask application to prevent large or unlimited result sets that could lead to Denial of Service.
Nuxt Implement server-side checks to enforce maximum limits on pagination and request sizes within the Nuxt application to prevent large responses or server overload, ensuring stability and availability.
Fastapi Implement pagination with maximum page size limits and enforce strict parameter validation to prevent excessively large requests in FastAPI routes.
Frappe Implement strict pagination limits and enforce maximum resource allocation to prevent excessive data retrieval and potential server overload in the Frappe framework.
Genzio Implement strict pagination limits and enforce maximum resource thresholds in the Genzio framework engine to prevent resource limiting bypass and potential Denial of Service.
Gin Implement request size limits and pagination with strict upper bounds in the Gin framework to prevent resource exhaustion and potential Denial of Service.
Gorilla Implement strict pagination limits to prevent excessive data retrieval and potential server overload.
Hapi Implement request payload validation and set maximum limits on query parameters to prevent resource exhaustion in the Hapi framework.
Hono Implement strict pagination limits and enforce maximum resource allocation to prevent excessive data retrieval and potential server overload in the Hono framework engine.
Jersey Implement strict pagination limits and validate input parameters to prevent excessive resource consumption in the Jersey framework.
Koa Implement strict pagination limits and validate input parameters to prevent excessive resource consumption in Koa applications.
Ktor Implement request rate limiting and set maximum bounds on pagination parameters to prevent excessive resource consumption in Ktor applications.
Leptos Implement strict pagination limits and enforce maximum resource allocation to prevent excessive data retrieval and potential server overload in the Leptos framework.
Macaron Implement strict pagination limits and validate input parameters to prevent resource exhaustion in the Macaron framework.
Phoenix Implement strict pagination limits and enforce maximum resource thresholds in Phoenix Framework to prevent resource limiting bypass and potential Denial of Service.
Redwoodjs Implement strict pagination limits and server-side validation to prevent excessive data requests in RedwoodJS applications.
Rocket Implement strict pagination limits and validate input parameters to prevent excessive resource consumption in Rocket framework applications.
Sveltekit Implement server-side pagination with a maximum limit on the number of items per page to prevent resource exhaustion in SvelteKit applications.

Configuration

Identifier: resource_limitation/resource_limiting_bypass

Examples

Ignore this check

checks:
  resource_limitation/resource_limiting_bypass:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API4:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.12.6
  • nist: SP800-44
  • fedramp: SC-5

Classification

  • CWE: 770

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
  • CVSS_SCORE: 5.3