An attacker could cause the program to crash or otherwise become unavailable to legitimate users.
Attackers may be able to deny service to legitimate users by flooding the application with requests, but flooding attacks can often be defused at the network layer. More problematic are bugs that allow an attacker to overload the application using a small number of requests. Such bugs allow the attacker to specify the quantity of system resources their requests will consume or the duration for which they will use them.
Example 1: The following code allows a user to specify the amount of time for which a thread will sleep. By specifying a large number, an attacker can tie up the thread indefinitely. With a small number of requests, the attacker can deplete the application's thread pool.
int usrSleepTime = Integer.parseInt(usrInput);
Thread.sleep(usrSleepTime);
readLine()
method, it will read an unbounded amount of input. An attacker can take advantage of this code to cause an OutOfMemoryException
or to consume a large amount of memory so that the program spends more time performing garbage collection or runs out of memory during some subsequent operation.
InputStream zipInput = zipFile.getInputStream(zipEntry);
Reader zipReader = new InputStreamReader(zipInput);
BufferedReader br = new BufferedReader(zipReader);
String line = br.readLine();
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730
[4] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Denial of Service
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9