Time
1 hour 43 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:01
Hey, everyone, welcome back to the course. So in this video, we're gonna talk about
00:05
the fourth item on the A P I Security OS top 10 list, lack of resource and rate limiting.
00:12
So we'll talk specifically about what it is as well as what ways we can
00:17
mitigated.
00:20
So what actually is lack of resource and rate limiting? Well, basically, the A P I itself is not protected against an excessive amount of calls or different payload sizes. So Attackers in this example can use things like denial of service attacks, think along brute force attacks and ah, you're to Ago there was an article
00:40
bleeping computer about docker ap. I breaches
00:42
and that's what they were referring to where Attackers were using this Teoh exploit in download malware and create botnets.
00:52
So how can we mitigate this? Well Number one, We can set specific payload sizes so we can set limits on payload sizes to black. Some of that we can also set specific rate limits to the A P I methods. We can set it for clients as well as addresses. So again, if you recall from previous conversation,
01:11
rate limits are basically saying that
01:14
a certain idea dress I P address or a certain origin
01:19
Can Onley make X number request in this x amount of time period. Otherwise it's going to block it,
01:26
also setting a resource limits on the containers themselves.
01:30
So a quick quiz question. If AP eyes were not protected against excessive calls or payloads, then denial service and brute force attacks can occur. Is that true? Riffles?
01:41
All right, so that's obviously true, right? We mentioned that because there's no protection against excessive amount of calls or the very inside, various sizes of payloads can be accepted. Attackers are are able to then do brute force attacks in denial of service attacks.
01:57
So in this video, we just talked about what lack of resource and rate limiting is. We also talked about ways to mitigate it again, doing things like rate limiting. Also limiting the size of payloads
02:08
and limiting container resource is

Up Next

Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor