Allocation Of Resources Without Limits

ID

javascript.allocation_of_resources_without_limits

Severity

low

Resource

Resource Management

Language

JavaScript

Tags

CWE:770, NIST.SP.800-53, OWASP:2021:A5

Description

This rule identifies instances where resources are allocated without any limits, potentially leading to Denial of Service (DoS) attacks.

In JavaScript, this often involves using frameworks like Express.js without implementing a rate limiting mechanism.

Rationale

When a web application does not limit the resources allocated per request, it becomes vulnerable to abuse. Attackers could overwhelm the server by sending a large number of requests in a short period, consuming excessive CPU, memory, or bandwidth. This can degrade performance or even crash the application.

In Express.js, failing to implement rate limiting allows an attacker to flood the application with too many requests, causing resource exhaustion. Here is an example of an Express.js server without rate limiting:

const express = require('express');
const app = express();

app.get('/', (req, res) => { // FLAW
    res.send('Welcome!');
});

app.listen(3000, () => {
    console.log('Server is listening on port 3000');
});

Without any restriction, this server can handle unlimited requests, leading to potential vulnerabilities.

Remediation

To mitigate this vulnerability, implement a rate limiting middleware. This limits the number of requests a client can make in a given timeframe, thus protecting the server from being overwhelmed.

Use a package like express-rate-limit to achieve this:

const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();

// Apply rate limiting to all requests
const limiter = rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100 // Limit each IP to 100 requests per windowMs
});

app.use(limiter);

app.get('/', (req, res) => {
    res.send('Welcome!');
});

app.listen(3000, () => {
    console.log('Server is listening on port 3000');
});

By implementing rate limiting, the server is protected against resource exhaustion attacks, improving both performance and security.

References

  • CWE-770 : Allocation of Resources Without Limits or Throttling.