Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.
CWE-405 Classe Incompleto
Asymmetric Resource Consumption (Amplification)
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The…
Definição
What is CWE-405?
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.
This flaw often leads to performance degradation or denial-of-service through resource 'amplification,' where resource use scales non-linearly. A small, malicious request can force the system to perform complex computations, generate massive data outputs, or spawn excessive processes, overwhelming its capacity.
This risk is significantly higher if access controls are weak, allowing low-privilege users or external attackers to consume resources far beyond their intended limits. To prevent this, developers must design systems where the cost of triggering an operation is proportional to the resources consumed, and enforce strict quotas and authorization checks at all access levels.
Impacto no mundo real
Real-world CVEs caused by CWE-405
-
Classic "Smurf" attack, using spoofed ICMP packets to broadcast addresses.
-
Parsing library allows XML bomb
-
Tool creates directories before authenticating user.
-
Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
-
server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
-
composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.
-
Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.
-
The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain "short exponents" with particular properties.
Como os atacantes a exploram
Trajeto do atacante passo a passo
- 1
This code listens on a port for DNS requests and sends the result to the requesting address.
- 2
This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic.
- 3
This function prints the contents of a specified file requested by a user.
- 4
This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway.
- 5
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
Exemplo de código vulnerável
Vulnerable Python
This code listens on a port for DNS requests and sends the result to the requesting address.
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind( (UDP_IP,UDP_PORT) )
while true:
data = sock.recvfrom(1024)
if not data:
break
(requestIP, nameToResolve) = parseUDPpacket(data)
record = resolveName(nameToResolve)
sendResponse(requestIP,record) Payload do atacante
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.
<?xml version="1.0"?>
<!DOCTYPE MaliciousDTD [
<!ENTITY ZERO "A">
<!ENTITY ONE "&ZERO;&ZERO;">
<!ENTITY TWO "&ONE;&ONE;">
...
<!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;">
]>
<data>&THIRTYTWO;</data> Exemplo de código seguro
Secure JavaScript
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
var test_string = "Bad characters: $@#";
var good_pattern = /^((?=(\w+))\2\s?)*$/i;
var result = test_string.search(good_pattern); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção
How to prevent CWE-405
- Architecture and Design An application must make resources available to a client commensurate with the client's access level.
- Architecture and Design An application must, at all times, keep track of allocated resources and meter their usage appropriately.
- System Configuration Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.
Sinais de deteção
How to detect CWE-405
Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.
Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.
Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.
O Plexicus deteta automaticamente o CWE-405 e abre um PR de correção em menos de 60 segundos.
O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.
Perguntas frequentes O que é o CWE-405?
Qual a gravidade do CWE-405?
Que linguagens ou plataformas são afetadas pelo CWE-405?
Como posso prevenir o CWE-405?
Como é que o Plexicus deteta e corrige o CWE-405?
Onde posso saber mais sobre o CWE-405?
Frequently asked questions
O que é o CWE-405?
This vulnerability occurs when a system allows an attacker to trigger a disproportionate amount of resource consumption—like CPU, memory, or bandwidth—with minimal effort on their part. The attacker's small input causes a large, inefficient output, creating an unfair 'asymmetric' advantage.
Qual a gravidade do CWE-405?
A MITRE não publicou uma classificação de probabilidade de exploração para esta fraqueza. Trate-a como impacto médio até o seu modelo de ameaças provar o contrário.
Que linguagens ou plataformas são afetadas pelo CWE-405?
MITRE lists the following affected platforms: Not OS-Specific, Not Architecture-Specific, Not Technology-Specific, Client Server.
Como posso prevenir o CWE-405?
An application must make resources available to a client commensurate with the client's access level. An application must, at all times, keep track of allocated resources and meter their usage appropriately.
Como é que o Plexicus deteta e corrige o CWE-405?
O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-405 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.
Onde posso saber mais sobre o CWE-405?
A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/405.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.
Fraquezas relacionadas
Weaknesses related to CWE-405
CWE-400 Pai
Uncontrolled Resource Consumption
This vulnerability occurs when an application fails to properly manage a finite resource, allowing an attacker to exhaust it and cause a…
CWE-1235 Irmão
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
This weakness occurs when a program relies on automatic boxing and unboxing of primitive types within performance-sensitive code sections,…
CWE-1246 Irmão
Improper Write Handling in Limited-write Non-Volatile Memories
This vulnerability occurs when a system fails to properly manage write operations on memory hardware that has a limited lifespan, such as…
CWE-770 Irmão
Allocation of Resources Without Limits or Throttling
This vulnerability occurs when a system allows users or processes to request resources without any built-in caps or rate limits. Think of…
CWE-771 Irmão
Missing Reference to Active Allocated Resource
This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system…
CWE-779 Irmão
Logging of Excessive Data
This vulnerability occurs when an application records more information than necessary in its logs, making log files difficult to analyze…
CWE-920 Irmão
Improper Restriction of Power Consumption
This vulnerability occurs when software running on a power-constrained device, like a battery-powered mobile or embedded system, fails to…
CWE-1050 Filho
Excessive Platform Resource Consumption within a Loop
This vulnerability occurs when a loop contains code that repeatedly consumes critical system resources like file handles, database…
CWE-1072 Filho
Data Resource Access without Use of Connection Pooling
This weakness occurs when an application creates a new database connection for every request instead of using a managed connection pool.…
Pronto quando você estiver
Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.
O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.