CWE-400
DiscouragedUncontrolled Resource Consumption
Abstraction: Class · Status: Draft
The product does not properly control the allocation and maintenance of a limited resource.
5417 vulnerabilities reference this CWE, most recent first.
GHSA-HG36-5628-7F89
Vulnerability from github – Published: 2022-08-17 00:00 – Updated: 2022-08-18 00:00CENTUM VP / CS 3000 controller FCS (CP31, CP33, CP345, CP401, and CP451) contains an issue in processing communication packets, which may lead to resource consumption. If this vulnerability is exploited, an attacker may cause a denial of service (DoS) condition in ADL communication by sending a specially crafted packet to the affected product.
{
"affected": [],
"aliases": [
"CVE-2022-33939"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-16T08:15:00Z",
"severity": "HIGH"
},
"details": "CENTUM VP / CS 3000 controller FCS (CP31, CP33, CP345, CP401, and CP451) contains an issue in processing communication packets, which may lead to resource consumption. If this vulnerability is exploited, an attacker may cause a denial of service (DoS) condition in ADL communication by sending a specially crafted packet to the affected product.",
"id": "GHSA-hg36-5628-7f89",
"modified": "2022-08-18T00:00:17Z",
"published": "2022-08-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33939"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU94343729/index.html"
},
{
"type": "WEB",
"url": "https://web-material3.yokogawa.com/1/33029/files/YSAR-22-0008-E.pdf"
},
{
"type": "WEB",
"url": "https://web-material3.yokogawa.com/19/33029/files/YSAR-22-0008-J.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG3R-JW9Q-9WC4
Vulnerability from github – Published: 2022-06-21 00:00 – Updated: 2022-07-01 00:01The Rating by BestWebSoft WordPress plugin through 1.5 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating
{
"affected": [],
"aliases": [
"CVE-2021-25121"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-20T11:15:00Z",
"severity": "MODERATE"
},
"details": "The Rating by BestWebSoft WordPress plugin through 1.5 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating",
"id": "GHSA-hg3r-jw9q-9wc4",
"modified": "2022-07-01T00:01:13Z",
"published": "2022-06-21T00:00:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25121"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/efb1ddef-2123-416c-a932-856d41ed836d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HG78-4F6X-99WQ
Vulnerability from github – Published: 2018-11-15 15:58 – Updated: 2023-08-28 12:46There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.4"
},
{
"fixed": "2.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-16470"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:40:04Z",
"nvd_published_at": "2018-11-13T23:29:00Z",
"severity": "HIGH"
},
"details": "There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.",
"id": "GHSA-hg78-4f6x-99wq",
"modified": "2023-08-28T12:46:14Z",
"published": "2018-11-15T15:58:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16470"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3172"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16470.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack vulnerable to Denial of Service"
}
GHSA-HGG7-CGHQ-XHF4
Vulnerability from github – Published: 2022-05-17 03:23 – Updated: 2023-08-16 09:36When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.
Jruby resolves this bug in version 1.7.3 as noted in https://www.jruby.org/2013/02/21/jruby-1-7-3.html
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-1821"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-08T12:51:05Z",
"nvd_published_at": "2013-04-09T21:55:00Z",
"severity": "MODERATE"
},
"details": "When reading text nodes from an XML document, the REXML parser can be coerced in to allocating extremely large string objects which can consume all of the memory on a machine, causing a denial of service.\n\nJruby resolves this bug in version 1.7.3 as noted in https://www.jruby.org/2013/02/21/jruby-1-7-3.html",
"id": "GHSA-hgg7-cghq-xhf4",
"modified": "2023-08-16T09:36:12Z",
"published": "2022-05-17T03:23:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1821"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=914716"
},
{
"type": "PACKAGE",
"url": "https://github.com/jruby/jruby"
},
{
"type": "WEB",
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0092"
},
{
"type": "WEB",
"url": "https://www.jruby.org/2013/02/21/jruby-1-7-3.html"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00015.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00036.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1147.html"
},
{
"type": "WEB",
"url": "http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision\u0026revision=39384"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2738"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2013/dsa-2809"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:124"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2013/03/06/5"
},
{
"type": "WEB",
"url": "http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22"
},
{
"type": "WEB",
"url": "http://www.slackware.com/security/viewer.php?l=slackware-security\u0026y=2013\u0026m=slackware-security.426862"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1780-1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Ruby vulnerable to denial of service"
}
GHSA-HGGR-P7V6-73P5
Vulnerability from github – Published: 2022-12-28 00:30 – Updated: 2024-05-20 19:41Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/revel/revel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36568"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-30T00:57:23Z",
"nvd_published_at": "2022-12-27T22:15:00Z",
"severity": "MODERATE"
},
"details": "Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation.",
"id": "GHSA-hggr-p7v6-73p5",
"modified": "2024-05-20T19:41:10Z",
"published": "2022-12-28T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36568"
},
{
"type": "WEB",
"url": "https://github.com/revel/revel/issues/1424"
},
{
"type": "WEB",
"url": "https://github.com/revel/revel/pull/1427"
},
{
"type": "WEB",
"url": "https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605"
},
{
"type": "PACKAGE",
"url": "https://github.com/revel/revel"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2020-0003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "revel is vulnerable to resource exhaustion"
}
GHSA-HGMG-HHC8-G5WR
Vulnerability from github – Published: 2021-01-29 21:51 – Updated: 2022-08-11 18:16Impact
A regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version <= 24.0.0.
Patches
The problem has been recognized and patched. The fix will be available in version 25.0.0.
Workarounds
The user can work around the issue by: - Upgrading CKEditor 5 to version 25.0.0. - Disabling the Markdown plugin.
More information
If you have any questions or comments about this advisory: * Email us at security@cksource.com
Acknowledgements
The CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and Alvaro Muñoz from GitHub for reporting it.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 24.0.0"
},
"package": {
"ecosystem": "npm",
"name": "@ckeditor/ckeditor5-markdown-gfm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "25.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21254"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-01-29T21:50:43Z",
"nvd_published_at": "2021-01-29T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nA regular expression denial of service (ReDoS) vulnerability has been discovered in the CKEditor 5 Markdown plugin code. The vulnerability allowed to abuse a link recognition regular expression, which could cause a significant performance drop resulting in a browser tab freeze. It affects all users using the CKEditor 5 Markdown plugin at version \u003c= 24.0.0. \n\n### Patches\nThe problem has been recognized and patched. The fix will be available in version 25.0.0.\n\n### Workarounds\nThe user can work around the issue by:\n- Upgrading CKEditor 5 to version 25.0.0.\n- Disabling the Markdown plugin.\n\n### More information\nIf you have any questions or comments about this advisory:\n* Email us at [security@cksource.com](mailto:security@cksource.com)\n\n### Acknowledgements\nThe CKEditor 5 team would like to thank Erik Krogh Kristensen from the GitHub team for recognizing this vulnerability and \nAlvaro Mu\u00f1oz from GitHub for reporting it.",
"id": "GHSA-hgmg-hhc8-g5wr",
"modified": "2022-08-11T18:16:15Z",
"published": "2021-01-29T21:51:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-hgmg-hhc8-g5wr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21254"
},
{
"type": "PACKAGE",
"url": "https://github.com/ckeditor/ckeditor5"
},
{
"type": "WEB",
"url": "https://github.com/ckeditor/ckeditor5/releases/tag/v25.0.0"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@ckeditor/ckeditor5-markdown-gfm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "CKEditor 5 Markdown plugin Regular expression Denial of Service"
}
GHSA-HGP8-W8FJ-R4CM
Vulnerability from github – Published: 2022-11-22 03:30 – Updated: 2023-07-11 13:52ToolJet/ToolJet placed no limit on the file size for user avatars. This could cause a denial of service if too many users upload large files. This is fixed in commit 01cd3f0464747973ec329e9fb1ea12743d3235cc in version 1.27.0.
tooljet is no longer listed on npmjs.com but was listed on npmjs.com in the past. This advisory is maintained for historical completeness.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tooljet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.27.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-4111"
],
"database_specific": {
"cwe_ids": [
"CWE-1284",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-02T22:38:23Z",
"nvd_published_at": "2022-11-22T03:15:00Z",
"severity": "MODERATE"
},
"details": "ToolJet/ToolJet placed no limit on the file size for user avatars. This could cause a denial of service if too many users upload large files. This is fixed in commit 01cd3f0464747973ec329e9fb1ea12743d3235cc in version 1.27.0.\n\n`tooljet` is no longer listed on npmjs.com but was [listed on npmjs.com in the past](https://web.archive.org/web/20220210014826/https://www.npmjs.com/package/tooljet). This advisory is maintained for historical completeness.",
"id": "GHSA-hgp8-w8fj-r4cm",
"modified": "2023-07-11T13:52:18Z",
"published": "2022-11-22T03:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4111"
},
{
"type": "WEB",
"url": "https://github.com/ToolJet/ToolJet/pull/4103"
},
{
"type": "WEB",
"url": "https://github.com/tooljet/tooljet/commit/01cd3f0464747973ec329e9fb1ea12743d3235cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/ToolJet/ToolJet"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/5596d072-66d2-4361-8cac-101c9c781c3d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ToolJet is vulnerable to Denial of Service (DoS)"
}
GHSA-HGPF-97C5-74FC
Vulnerability from github – Published: 2021-05-10 19:08 – Updated: 2021-04-19 23:43This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@absolunet/kafe"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-7761"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-19T23:43:02Z",
"nvd_published_at": "2020-11-05T11:15:00Z",
"severity": "MODERATE"
},
"details": "This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.",
"id": "GHSA-hgpf-97c5-74fc",
"modified": "2021-04-19T23:43:02Z",
"published": "2021-05-10T19:08:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7761"
},
{
"type": "WEB",
"url": "https://github.com/absolunet/kafe/commit/c644c798bfcdc1b0bbb1f0ca59e2e2664ff3fdd0%23diff-f0f4b5b19ad46588ae9d7dc1889f681252b0698a4ead3a77b7c7d127ee657857"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-ABSOLUNETKAFE-1017403"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@absolunet/kafe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Regular expression denial of service in @absolunet/kafe"
}
GHSA-HGPR-8P93-4GQM
Vulnerability from github – Published: 2026-02-04 03:30 – Updated: 2026-02-04 21:30A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage.
{
"affected": [],
"aliases": [
"CVE-2025-69620"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T02:16:10Z",
"severity": "HIGH"
},
"details": "A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage.",
"id": "GHSA-hgpr-8p93-4gqm",
"modified": "2026-02-04T21:30:32Z",
"published": "2026-02-04T03:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69620"
},
{
"type": "WEB",
"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/11"
},
{
"type": "WEB",
"url": "https://secsys.fudan.edu.cn"
},
{
"type": "WEB",
"url": "http://office.com"
},
{
"type": "WEB",
"url": "http://www.ntoolslab.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HGQ9-Q8G2-3JMG
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-11-01 23:33SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.vivoweb:vitro-project"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-6986"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-01T23:33:34Z",
"nvd_published_at": "2019-01-28T15:29:00Z",
"severity": "HIGH"
},
"details": "SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to execute arbitrary SPARQL via the uri parameter, leading to a regular expression denial of service (ReDoS), as demonstrated by crafted use of FILTER%20regex in a /individual?uri= request.",
"id": "GHSA-hgq9-q8g2-3jmg",
"modified": "2022-11-01T23:33:34Z",
"published": "2022-05-13T01:22:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6986"
},
{
"type": "WEB",
"url": "https://github.com/vivo-project/Vitro/pull/111"
},
{
"type": "WEB",
"url": "https://github.com/vivo-project/Vitro/pull/111/commits/248ef19107a5ac6f86304fd8f3bc75f3787f8d49"
},
{
"type": "WEB",
"url": "https://github.com/kevinbackhouse/SecurityExploits/tree/0ec74459ac53685a7959ed58d580ef8abece3685/vivo-project"
},
{
"type": "PACKAGE",
"url": "https://github.com/vivo-project/Vitro"
},
{
"type": "WEB",
"url": "https://jira.duraspace.org/browse/VIVO-1697"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/172838/VIVO-SPARQL-Injection.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Command Injection in VIVO Vitro"
}
Mitigation
Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
Mitigation
- Mitigation of resource exhaustion attacks requires that the target system either:
- The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
- The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.
- recognizes the attack and denies that user further access for a given amount of time, or
- uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Mitigation
Ensure that protocols have specific limits of scale placed on them.
Mitigation
Ensure that all failures in resource allocation place the system into a safe posture.
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.