Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Denial of service: resource consumption, web forms and APIs

Application denial-of-service (AppDoS) vulnerabilities differ from volumetric network attacks. They don't require high traffic volume: a few carefully crafted requests can exhaust a server's CPU, memory, database connections, or storage. The impact is making the application unavailable to legitimate users.

Uncontrolled resource consumption

Some operations are inherently expensive and can be triggered by malicious data. ReDoS (Regular Expression Denial of Service): regular expressions vulnerable to inputs causing exponential backtracking. Billion Laughs XML: nested XML entities that expand exponentially in memory. Zip bomb: compressed archive whose decompressed content exceeds gigabytes. Hash DoS: sending many JSON keys that produce hash collisions in the server's hash table.

ReDoS example: vulnerable regular expression

// Expression vulnérable : groupes imbriqués avec quantificateurs
const re = /^(a+)+$/;

// Pour l'entrée 'aaaaaaaaaaaaaaab', le backtracking est exponentiel
console.time();
re.test('aaaaaaaaaaaaaaab');  // Peut durer des secondes ou minutes
console.timeEnd();

// Utiliser un moteur de regex sans backtracking (RE2) :
const RE2 = require('re2');
const re2 = new RE2('^(a+)+$');
re2.test('aaaaaaaaaaaaaaab');  // Temps linéaire garanti

No rate limiting on forms

A web form without submission rate limiting can be used to exhaust server resources or third-party services. Registration form: sending thousands of confirmation emails, saturating the database. Contact form: saturating the email inbox and sending service. Search form: heavy SQL queries repeated continuously. Upload form: saturating storage.

Per-IP rate limiting (Express.js / express-rate-limit)

const rateLimit = require('express-rate-limit');

// Limiter les soumissions de formulaire de contact
const contactLimiter = rateLimit({
  windowMs: 60 * 60 * 1000,  // 1 heure
  max: 5,                     // 5 soumissions par heure par IP
  message: 'Trop de messages envoyés. Réessayez dans une heure.',
  standardHeaders: true,
  legacyHeaders: false,
});

app.post('/contact', contactLimiter, handleContact);

Inadequate system resource restrictions

Operations without explicit limits can exhaust server resources. Maximum uploaded file size: without limit, an attacker can saturate disk with a single upload. Search results without pagination: a query returning millions of rows saturates memory. Image processing without limits: a large decompressed image consumes excessive memory. Long operation timeouts: a request lasting several minutes monopolises a thread.

API denial of service

GraphQL APIs are particularly exposed to DoS attacks via complex queries. A GraphQL query can request data with many levels of nesting and lists, generating thousands of SQL queries. Query depth limiting and query cost analysis are GraphQL-specific protections. For REST APIs, rate limiting per endpoint and per user is the basic protection.

A question after reading?

Want to assess your application's resilience against DoS? Send a message.

Or book a 30-minute scoping call directly

Book a call