Unrestricted resource consumption occurs when an API does not adequately limit or control the consumption of its resources, such as CPU, memory, disk space, network bandwidth, or database connections. This lack of control can lead to resource exhaustion and denial of service (DoS) conditions.

In this article, we are going through API4 item from OWASP top 10 API Security risks exploring F5 BIG-IP Access Policy Manager (APM) role in our arsenal. 

 

Identify Vulnerable APIs

It's common to find APIs that do not limit client interactions or resource consumption. 

APIs can affect different backend endpoint resources: 

• Control number of resources returned. 
• Infer extra costs on service providers' business/pricing model.
• exhuast resources CPU, memory, disk space or network connections. 

Common examples of this vulnerability: 

• Allowing excessively large payloads in requests.
• Permitting unbounded loops or deep recursion in API processing logic.
• Lack of rate limiting, which could allow attackers to overwhelm the API with too many requests.
• Insufficient control over the creation and management of server-side sessions.

Out of the Shadows: API Discovery and Security presents an incredible way to secure APIs via F5 Distributed Cloud (F5 XC). In our article we focus on access capabilities, which can be highlighted here in rate limiting the requests associated with a specific user/machine.

Mitigating Risks with BIG-IP APM

 

BIG-IP APM per-request granularity. With per-request granularity, organizations can dynamically enforce access policies based on various factors such as user identity, device characteristics, and contextual information. This enables organizations to implement fine-grained access controls at the API level, mitigating the risks associated with Unrestricted Resources Consumption.

 Key Features:

1. Dynamic Access Control Policies: BIG-IP APM empowers organizations to define dynamic access control policies that adapt to changing conditions in real-time. By evaluating each API request against these policies, BIG-IP APM ensures that only authorized users can access specific resources and perform permitted actions.
   
   
2. Granular Authorization Rules: BIG-IP APM enables organizations to define granular authorization rules that govern access to individual objects or resources within the API ecosystem. By enforcing strict authorization checks at the object level, F5 APM prevents unauthorized users from tampering with sensitive data or performing unauthorized actions.
   
   
3. Apply rate limiting to APIs based on initiator identity, which provides a great way to protect while maintaining the service for legitimate users.

 

Related Content 

• F5 BIG-IP Access Policy Manager | F5
• Introduction to OWASP API Security Top 10 2023
• OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10
• API Protection Concepts
• OWASP Tactical Access Defense Series: How BIG-IP APM Strengthens Defenses Against OWASP Top 10
• OWASP Tactical Access Defense Series: Broken Object Level Authorization and BIG-IP APM
• F5 Hybrid Security Architectures (Part 5 - F5 XC, BIG-IP APM, CIS, and NGINX Ingress Controller)
• OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM
• OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM