保護DataHogo
Security Encyclopedia/OWASP API Top 10
mediumCWE-770API4:2023

Unrestricted Resource Consumption

API endpoints without rate limiting, pagination, or resource limits — allowing attackers to exhaust server resources, rack up costs, or extract large datasets.

How It Works

Without rate limiting, an attacker can flood your API with requests, causing denial of service or excessive cloud bills. Without pagination limits, a single request can return millions of records. Without request size limits, large payloads can exhaust memory. This is especially dangerous for APIs that trigger expensive operations like AI model calls, email sending, or file processing — each request costs real money.

Vulnerable Code
// No rate limit, no pagination
app.get('/api/users', auth, async (req, res) => {
  const users = await User.find(); // Returns ALL users
  res.json(users);
});
Secure Code
import rateLimit from 'express-rate-limit';
const limiter = rateLimit({ windowMs: 60000, max: 100 });
app.get('/api/users', auth, limiter, async (req, res) => {
  const page = parseInt(req.query.page) || 1;
  const users = await User.find()
    .skip((page - 1) * 20).limit(20);
  res.json(users);
});

Real-World Example

In 2023, multiple startups reported unexpected AI API bills exceeding $100,000 after attackers discovered their unprotected endpoints that called GPT-4. Without rate limiting, each request cost ~$0.03 and bots sent millions of requests.

How to Prevent It

  • Implement rate limiting on all API endpoints
  • Always use pagination with reasonable page sizes
  • Set request body size limits
  • Monitor and alert on unusual usage patterns

Affected Technologies

Node.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Object Level Authorization (BOLA)

high

API endpoints don't verify that the requesting user owns the resource they're accessing — allowing attackers to access other users' data by changing object IDs.

CWE-639API1:2023

Broken Authentication (API)

high

API authentication mechanisms are weak or improperly implemented — JWT without proper validation, tokens not in httpOnly cookies, or missing token expiration.

CWE-287API2:2023

Broken Object Property Level Authorization

medium

API allows users to read or modify object properties they shouldn't have access to — mass assignment, excessive data exposure, or missing field-level access control.

CWE-915API3:2023

Broken Function Level Authorization

high

Admin or privileged API endpoints accessible to regular users — missing role checks allow privilege escalation to administrative functions.

CWE-285API5:2023