Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.
CWE-405 Classe Incomplet
Asymmetric Resource Consumption (Amplification)
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The…
Définition
What is CWE-405?
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.
This flaw often leads to performance degradation or denial-of-service through resource 'amplification,' where resource use scales non-linearly. A small, malicious request can force the system to perform complex computations, generate massive data outputs, or spawn excessive processes, overwhelming its capacity.
This risk is significantly higher if access controls are weak, allowing low-privilege users or external attackers to consume resources far beyond their intended limits. To prevent this, developers must design systems where the cost of triggering an operation is proportional to the resources consumed, and enforce strict quotas and authorization checks at all access levels.
Impact réel
Real-world CVEs caused by CWE-405
-
Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
-
Parsing library allows XML bomb
-
Tool creates directories before authenticating user.
-
Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
-
server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
-
composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
-
Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
-
The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.
Comment les attaquants l'exploitent
Parcours de l'attaquant étape par étape
- 1
This code listens on a port for DNS requests and sends the result to the requesting address.
- 2
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
- 3
This function prints the contents of a specified file requested by a user.
- 4
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
- 5
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Exemple de code vulnérable
Vulnerable Python
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind( (UDP_IP,UDP_PORT) )
while true:
data = sock.recvfrom(1024)
if not data:
break
(requestIP, nameToResolve) = parseUDPpacket(data)
record = resolveName(nameToResolve)
sendResponse(requestIP,record) Charge utile de l'attaquant
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data> Exemple de code sécurisé
Secure JavaScript
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
var test_string = "Bad characters: $@#";
var good_pattern = /^((?=(\w+))\2\s?)*$/i;
var result = test_string.search(good_pattern); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention
How to prevent CWE-405
- Architecture and Design An application must make resources available to a client commensurate with the client's access level.
- Architecture and Design An application must, at all times, keep track of allocated resources and meter their usage appropriately.
- System Configuration Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Signaux de détection
How to detect CWE-405
Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.
Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.
Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.
Plexicus détecte automatiquement CWE-405 et ouvre une PR de correction en moins de 60 secondes.
Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.
Questions fréquentes Qu'est-ce que CWE-405 ?
Quelle est la gravité de CWE-405 ?
Quels langages ou plateformes sont affectés par CWE-405 ?
Comment puis-je prévenir CWE-405 ?
Comment Plexicus détecte et corrige CWE-405 ?
Où puis-je en savoir plus sur CWE-405 ?
Frequently asked questions
Qu'est-ce que CWE-405 ?
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.
Quelle est la gravité de CWE-405 ?
MITRE n'a pas publié de note de probabilité d'exploitation pour cette faiblesse. Traitez-la comme un impact moyen jusqu'à ce que votre modèle de menace prouve le contraire.
Quels langages ou plateformes sont affectés par CWE-405 ?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific, Client Server.
Comment puis-je prévenir CWE-405 ?
An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Comment Plexicus détecte et corrige CWE-405 ?
Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-405 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.
Où puis-je en savoir plus sur CWE-405 ?
MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/405.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.
Faiblesses associées
Weaknesses related to CWE-405
CWE-400 Parent
Uncontrolled Resource Consumption
This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a…
CWE-1235 Frère
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections,…
CWE-1246 Frère
Improper Write Handling in Limited-write Non-Volatile Memories
This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as…
CWE-770 Frère
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
CWE-771 Frère
Missing Reference to Active Allocated Resource
This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system…
CWE-779 Frère
Logging of Excessive Data
This vulnerability occurs when an application records more information than necessary in its logs, making log files difficult to analyze…
CWE-920 Frère
Improper Restriction of Power Consumption
This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to…
CWE-1050 Enfant
Excessive Platform Resource Consumption within a Loop
This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database…
CWE-1072 Enfant
Data Resource Access without Use of Connection Pooling
This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool.…
Prêt quand vous l'êtes
Arrêtez de payer par développeur.
Commencez à fermer la boucle.
Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.