Availability & Abuse

AvailabilityDoSResource AbuseRate Limiting

Availability & Abuse vulnerabilities at a glance

What it is: Attackers are able to degrade or deny service availability, including things like: algorithmic complexity attacks, lack of rate limiting, and resource exhaustion.

Why it happens: It can take down entire services with minimal attacker resources

How to fix: The specific fixes will depend on the exact vulnerability, but generally it is key to have sufficient rate and resource limits across your systems.

Overview

Aattackers can degrade service performance or completely deny access to legitimate users by overloading systems.

There are different approaches for how these attacks can take place, but they are all focused on exceeding the capacity for a system. These attacks are particularly concerning because they can often be executed with minimal resources while causing significant impact. A single attacker can take down services costing thousands in lost revenue and reputation damage.

sequenceDiagram participant Attacker participant App as Web Server participant CPU loop Repeated requests Attacker->>App: POST /search (ReDoS payload) App->>CPU: Regex evaluation (catastrophic backtracking) CPU-->>CPU: 100% CPU for 30 seconds App-->>Attacker: 503 Timeout end Note over App: Missing: Rate limiting<br/>Missing: Regex complexity limits<br/>Missing: Operation timeouts

A potential flow for a Availability & Abuse exploit

Where it occurs

Availability attacks can occur within different points of a system, depending on what type of resource is being exploited.

Impact

Availability attacks lead to service downtime affecting all users, financial losses from lost transactions and SLA violations, reputation damage from poor reliability, and more.

Prevention

The specific approach for prevention will depend on the exact type of vulnerability, but in general you will want to have sufficient restrictions, limits, and controls over any resource.

Specific Vulnerabilities

Explore specific vulnerability types within this category:

Lack of Rate Limiting

Missing or insufficient rate limiting that allows attackers to make unlimited requests, enabling brute force attacks, resource exhaustion, data scraping, and denial of service.

Rate Limiting API Abuse Brute Force +1 more

2 code examples

Learn more →

Regular Expression Denial of Service (ReDoS)

Inputs trigger worst-case regex behavior, causing excessive CPU or memory usage. This includes catastrophic backtracking and unbounded matching on huge inputs.

Catastrophic Backtracking

6 code examples

Learn more →

Resource Exhaustion

Vulnerabilities that allow attackers to exhaust server resources (memory, CPU, disk, connections) through malicious requests, causing service degradation or complete denial of service.

DoS Denial of Service Memory Exhaustion +1 more

2 code examples

Learn more →

Detect These Vulnerabilities in Your Code

Sourcery automatically identifies availability & abuse and related vulnerabilities in your codebase.

Scan Your Code for Free