Security Test: Response size¶
Description¶
Default Severity:
Sometimes an application ends up sending back a much larger response than intended, which can put a strain on both the server and the client. This happens when inputs aren't properly validated or when there’s no limit on how much data the server is allowed to return. It can slow down or even crash systems and open the door to denial of service attacks, where attackers intentionally trigger these oversized responses to overwhelm your resources. Developers often fall into the trap of assuming that just because they're returning data, bigger is better, without putting in place controls to check response sizes or detect unusual activity. This oversight can lead to unexpected system behavior and makes it easier for attackers to disrupt your services.
Configuration¶
Identifier:
resource_limitation/response_size
Examples¶
All configuration available:
checks:
resource_limitation/response_size:
skip: false # default
options:
threshold: 10485760 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 10485760 | Minimum size before raising an alert |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 400 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVSS Score | 3.7 |