A4: Lack of Resource and Rate Limiting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

1 hour 43 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in this video, we're gonna talk about
the fourth item on the A P I Security OS top 10 list, lack of resource and rate limiting.
So we'll talk specifically about what it is as well as what ways we can
So what actually is lack of resource and rate limiting? Well, basically, the A P I itself is not protected against an excessive amount of calls or different payload sizes. So Attackers in this example can use things like denial of service attacks, think along brute force attacks and ah, you're to Ago there was an article
bleeping computer about docker ap. I breaches
and that's what they were referring to where Attackers were using this Teoh exploit in download malware and create botnets.
So how can we mitigate this? Well Number one, We can set specific payload sizes so we can set limits on payload sizes to black. Some of that we can also set specific rate limits to the A P I methods. We can set it for clients as well as addresses. So again, if you recall from previous conversation,
rate limits are basically saying that
a certain idea dress I P address or a certain origin
Can Onley make X number request in this x amount of time period. Otherwise it's going to block it,
also setting a resource limits on the containers themselves.
So a quick quiz question. If AP eyes were not protected against excessive calls or payloads, then denial service and brute force attacks can occur. Is that true? Riffles?
All right, so that's obviously true, right? We mentioned that because there's no protection against excessive amount of calls or the very inside, various sizes of payloads can be accepted. Attackers are are able to then do brute force attacks in denial of service attacks.
So in this video, we just talked about what lack of resource and rate limiting is. We also talked about ways to mitigate it again, doing things like rate limiting. Also limiting the size of payloads
and limiting container resource is
Up Next
Introduction to the OWASP API Security Top 10

The Introduction to the OWASP API Security Top 10 course will teach students why API security is needed. Students will get a brief refresher on the CIA triad and AAA, then move into learning about the OWASP Top 10 from an API security perspective.

Instructed By