Layer 7 Denial of Service via Unchecked Input for Loop Condition
Description
This application is looping over user-controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place.
Examples
Insecure Code
javascript
app.post('/dos/layer7-object-dos/for-loop/1', function (req, res) {
var list = req.body.list;
for (let i = 0; i < list.length; i++) {
// loop over user-controlled input
}
res.send("res")
});Secure Code
javascript
app.post('/dos/layer7-object-dos/for-loop/1', function (req, res) {
var list = req.body.list;
for (let i = 0; i < Math.min(10, list.length); i++) {
// limit loop iterations
}
res.send("res")
});Remediation
Set limits on the number of iterations, input sizes, recursion depth, etc. to prevent excessive CPU cycles or memory consumption.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0365 |
| Category | InsecureConfig |
| Severity | MEDIUM |
| CWE | CWE-606 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | Denial of Service, Layer 7 |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |