Route accepts large response from external APIs

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

An API endpoint accepts large responses from external APIs without enforcing size limits. When an application blindly consumes responses of arbitrary size, it becomes vulnerable to resource exhaustion attacks. A malicious or compromised third-party API could send an oversized response, leading to excessive memory consumption, denial of service, or buffer-related vulnerabilities.

Rationale

This finding works by identifying an API route that receives responses from external APIs where the response body exceeds expected size thresholds, indicating a lack of proper response size validation.

Remediation

  • Enforce maximum response size limits when consuming external API responses
  • Implement streaming or chunked reading with size checks to prevent loading entire large payloads into memory
  • Set appropriate timeouts and resource limits for external API calls

References

ReferenceDescription
OWASP API10:2023 - Unsafe Consumption of APIsOWASP API Security guidance on safely consuming third-party APIs.