CWE-405 Clase Incompleto

Asymmetric Resource Consumption (Amplification)

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The…

Definición

What is CWE-405?

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.
This flaw often leads to performance degradation or denial-of-service through resource 'amplification,' where resource use scales non-linearly. A small, malicious request can force the system to perform complex computations, generate massive data outputs, or spawn excessive processes, overwhelming its capacity. This risk is significantly higher if access controls are weak, allowing low-privilege users or external attackers to consume resources far beyond their intended limits. To prevent this, developers must design systems where the cost of triggering an operation is proportional to the resources consumed, and enforce strict quotas and authorization checks at all access levels.
Impacto en el mundo real

Real-world CVEs caused by CWE-405

  • CVE-1999-0513

    Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.

  • CVE-2003-1564

    Parsing library allows XML bomb

  • CVE-2004-2458

    Tool creates directories before authenticating user.

  • CVE-2020-10735

    Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases

  • CVE-2020-5243

    server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

  • CVE-2013-5211

    composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.

  • CVE-2002-20001

    Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.

  • CVE-2022-40735

    The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This code listens on a port for DNS requests and sends the result to the requesting address.

  2. 2

    This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.

  3. 3

    This function prints the contents of a specified file requested by a user.

  4. 4

    This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.

  5. 5

    The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Ejemplo de código vulnerable

Vulnerable Python

This code listens on a port for DNS requests and sends the result to the requesting address.

Vulnerable Python 
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.bind( (UDP_IP,UDP_PORT) )
  while true:
  		data = sock.recvfrom(1024)
  		if not data:
  			break
  		(requestIP, nameToResolve) = parseUDPpacket(data)
  		record = resolveName(nameToResolve)
  		sendResponse(requestIP,record)
Payload del atacante

The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.

Payload del atacante XML 
<?xml version="1.0"?>
  <!DOCTYPE MaliciousDTD [
  <!ENTITY ZERO "A">
  <!ENTITY ONE "&ZERO;&ZERO;">
  <!ENTITY TWO "&ONE;&ONE;">
  ...
  <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
  ]>
  <data>&THIRTYTWO;</data>
Ejemplo de código seguro

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Seguro JavaScript 
var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-405

  • Architecture and Design An application must make resources available to a client commensurate with the client's access level.
  • Architecture and Design An application must, at all times, keep track of allocated resources and meter their usage appropriately.
  • System Configuration Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Señales de detección

How to detect CWE-405

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-405 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-405?

This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.

¿Qué gravedad tiene CWE-405?

MITRE no ha publicado una calificación de probabilidad de explotación para esta debilidad. Trátala como de impacto medio hasta que tu modelo de amenazas demuestre lo contrario.

¿Qué lenguajes o plataformas se ven afectados por CWE-405?

MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific, Client Server.

¿Cómo puedo prevenir CWE-405?

An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately.

¿Cómo detecta y corrige Plexicus CWE-405?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-405 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-405?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/405.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-405

CWE-400 Padre

Uncontrolled Resource Consumption

This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a…

CWE-1235 Hermano

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections,…

CWE-1246 Hermano

Improper Write Handling in Limited-write Non-Volatile Memories

This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as…

CWE-770 Hermano

Allocation of Resources Without Limits or Throttling

This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…

CWE-771 Hermano

Missing Reference to Active Allocated Resource

This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system…

CWE-779 Hermano

Logging of Excessive Data

This vulnerability occurs when an application records more information than necessary in its logs, making log files difficult to analyze…

CWE-920 Hermano

Improper Restriction of Power Consumption

This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to…

CWE-1050 Hijo

Excessive Platform Resource Consumption within a Loop

This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database…

CWE-1072 Hijo

Data Resource Access without Use of Connection Pooling

This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool.…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo