CWE-405: Asymmetric Resource Consumption (Amplification)
Description
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Submission Date :
July 19, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
This can lead to poor performance due to "amplification" of resource consumption, typically in a non-linear fashion. This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.
Example - 1
This code listens on a port for DNS requests and sends the result to the requesting address. This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
break
data = sock.recvfrom(1024)if not data:(requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record)sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true:
Example - 2
This data prints the contents of a specified file requested by a user. This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
// //read file into string//
echo $file;return true;
echo 'You are not authorized to view this file';
$file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){}else{}return false;function printFile($username,$filename){}
Example - 3
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO "A"><!ENTITY ONE "&ZERO;&ZERO;"><!ENTITY TWO "&ONE;&ONE;">...<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">]><data>&THIRTYTWO;</data>
Example - 4
This example attempts to check if an input string is a "sentence" [REF-1164]. Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.
var test_string = "Bad characters: $@#";var bad_pattern = /^(\w+\s?)*$/i;var result = test_string.search(bad_pattern);
var test_string = "Bad characters: $@#";var good_pattern = /^((?=(\w+))\2\s?)*$/i;var result = test_string.search(good_pattern);
Example - 5
An adversary can cause significant resourceconsumption on a server by filtering the cryptographicalgorithms offered by the client to the ones that are themost resource-intensive on the server side. Afterdiscovering which cryptographic algorithms are supportedby the server, a malicious client can send the initialcryptographic handshake messages that contains only theresource-intensive algorithms. For some cryptographicprotocols, these messages can be completelyprefabricated, as the resource-intensive part of thehandshake happens on the server-side first (such as TLS),rather than on the client side. In the case ofcryptographic protocols where the resource-intensive partshould happen on the client-side first (such as SSH), amalicious client can send a forged/precalculatedcomputation result, which seems correct to the server, sothe resource-intensive part of the handshake is going tohappen on the server side. A malicious client is requiredto send only the initial messages of a cryptographichandshake to initiate the resource-consuming part of thecryptographic handshake. These messages are usuallysmall, and generating them requires minimal computationaleffort, enabling a denial-of-service attack. Anadditional risk is the fact that higher key sizeincreases the effectiveness of the attack. Cryptographicprotocols where the clients have influence over the sizeof the used key (such as TLS 1.3 or SSH) are most atrisk, as the client can enforce the highest key sizesupported by the server.
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
CWE-407: Inefficient Algorithmic Complexity
CWE-408: Incorrect Behavior Order: Early Amplification
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-1050: Excessive Platform Resource Consumption within a Loop
CWE-1072: Data Resource Access without Use of Connection Pooling
CWE-1073: Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
CWE-1084: Invokable Control Element with Excessive File or Data Access Operations
CWE-1089: Large Data Table with Excessive Number of Indices
CWE-1094: Excessive Index Range Scan for a Data Resource
CWE-1176: Inefficient CPU Computation
Visit http://cwe.mitre.org/ for more details.