Security Test: Security timeout¶
Description¶
Default Severity:
When an application doesn’t set suitable limits on how long a request can run, attackers can purposely send heavy or complex requests that take too long to process, tying up resources and potentially denying service to legitimate users. This issue usually happens when developers rely on arbitrary timeout thresholds that don’t necessarily match the real-world demands of the application, leading to a situation where even a single carefully crafted query can slow down or temporarily incapacitate the service. Being unaware of proper timeout settings or defaulting to ones that are too generous is a common pitfall, and it leaves the system open to abuse and performance degradation.
Reference:
Configuration¶
Identifier:
resource_limitation/timeout
Examples¶
All configuration available:
checks:
resource_limitation/timeout:
skip: false # default
options:
threshold_info: 4 # default
threshold_low: 6 # default
threshold_medium: 10 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold_info | number | 4 | Duration of a request (in seconds) before raising a info level alert |
threshold_low | number | 6 | Duration of a request (in seconds) before raising a low level alert |
threshold_medium | number | 10 | Duration of a request (in seconds) before raising a medium level alert |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 400 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C |
| CVSS Score | 7.2 |