{"@ID": "405", "@Name": "Asymmetric Resource Consumption (Amplification)", "@Abstraction": "Class", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is \"asymmetric.\"", "Extended_Description": "This can lead to poor performance due to \"amplification\" of resource consumption, typically in a non-linear fashion.  This situation is worsened if the product allows malicious users or attackers to consume more resources than their access level permits.", "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "400", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Resultant"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": [{"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}, {"@Class": "Client Server", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design"}, {"Phase": "Implementation"}, {"Phase": "Operation"}]}, "Common_Consequences": {"Consequence": {"Scope": "Availability", "Impact": ["DoS: Amplification", "DoS: Resource Consumption (CPU)", "DoS: Resource Consumption (Memory)", "DoS: Resource Consumption (Other)"], "Likelihood": "High", "Note": "Sometimes this is a factor in \"flood\" attacks, but other types of amplification exist."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "An application must make resources available to a client commensurate with the client's access level."}, {"Phase": "Architecture and Design", "Description": "An application must, at all times, keep track of allocated resources and meter their usage appropriately."}, {"Phase": "System Configuration", "Description": "Consider disabling resource-intensive algorithms on the server side, such as Diffie-Hellman key exchange.", "Effectiveness": "High", "Effectiveness_Notes": "Business requirements may prevent disabling resource-intensive algorithms."}]}, "Demonstrative_Examples": {"Demonstrative_Example": [{"@Demonstrative_Example_ID": "DX-113", "Intro_Text": "This code listens on a port for DNS requests and sends the result to the requesting address.", "Example_Code": {"@Nature": "Bad", "@Language": "Python", "xhtml:div": {"xhtml:br": [null, null], "xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null], "xhtml:div": {"@style": "margin-left:1em;", "#text": "break"}, "#text": "data = sock.recvfrom(1024)if not data:\n                           (requestIP, nameToResolve) = parseUDPpacket(data)record = resolveName(nameToResolve)sendResponse(requestIP,record)"}}, "#text": "sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)sock.bind( (UDP_IP,UDP_PORT) )while true:"}}, "Body_Text": "This code sends a DNS record to a requesting IP address. UDP allows the source IP address to be easily changed ('spoofed'), thus allowing an attacker to redirect responses to a target, which may be then be overwhelmed by the network traffic."}, {"@Demonstrative_Example_ID": "DX-157", "Intro_Text": "This function prints the contents of a specified file requested by a user.", "Example_Code": {"@Nature": "Bad", "@Language": "PHP", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "//read file into string", "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:br": null, "#text": "echo $file;return true;"}, {"@style": "margin-left:1em;", "#text": "echo 'You are not authorized to view this file';"}], "#text": "$file = file_get_contents($filename);if ($file && isOwnerOf($username,$filename)){}else{}return false;"}}, "#text": "function printFile($username,$filename){}"}}, "Body_Text": "This code first reads a specified file into memory, then prints the file if the user is authorized to see its contents. The read of the file into memory may be resource intensive and is unnecessary if the user is not allowed to see the file anyway."}, {"@Demonstrative_Example_ID": "DX-53", "Intro_Text": "The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity THIRTYTWO, which will expand to 2^32 characters in length, or 4 GB, probably consuming far more data than expected.", "Example_Code": {"@Nature": "Attack", "@Language": "XML", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "#text": "<?xml version=\"1.0\"?><!DOCTYPE MaliciousDTD [<!ENTITY ZERO \"A\"><!ENTITY ONE \"&ZERO;&ZERO;\"><!ENTITY TWO \"&ONE;&ONE;\">...<!ENTITY THIRTYTWO \"&THIRTYONE;&THIRTYONE;\">]><data>&THIRTYTWO;</data>"}}}, {"@Demonstrative_Example_ID": "DX-158", "Intro_Text": "This example attempts to check if an input string is a \"sentence\" [REF-1164].", "Example_Code": [{"@Nature": "Bad", "@Language": "JavaScript", "xhtml:br": [null, null], "#text": "var test_string = \"Bad characters: $@#\";\n               var bad_pattern  = /^(\\w+\\s?)*$/i;\n               var result = test_string.search(bad_pattern);"}, {"@Nature": "Good", "@Language": "JavaScript", "xhtml:br": [null, null], "#text": "var test_string = \"Bad characters: $@#\";\n               var good_pattern  = /^((?=(\\w+))\\2\\s?)*$/i;\n               var result = test_string.search(good_pattern);"}], "Body_Text": [{"xhtml:p": ["The regular expression has a vulnerable backtracking clause inside (\\w+\\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.", "To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \\2 which prevents the backtracking. The modified example is:"]}, "Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx."]}, {"Intro_Text": "An adversary can cause significant resource\n\t     consumption on a server by filtering the cryptographic\n\t     algorithms offered by the client to the ones that are the\n\t     most resource-intensive on the server side. After\n\t     discovering which cryptographic algorithms are supported\n\t     by the server, a malicious client can send the initial\n\t     cryptographic handshake messages that contains only the\n\t     resource-intensive algorithms. For some cryptographic\n\t     protocols, these messages can be completely\n\t     prefabricated, as the resource-intensive part of the\n\t     handshake happens on the server-side first (such as TLS),\n\t     rather than on the client side. In the case of\n\t     cryptographic protocols where the resource-intensive part\n\t     should happen on the client-side first (such as SSH), a\n\t     malicious client can send a forged/precalculated\n\t     computation result, which seems correct to the server, so\n\t     the resource-intensive part of the handshake is going to\n\t     happen on the server side. A malicious client is required\n\t     to send only the initial messages of a cryptographic\n\t     handshake to initiate the resource-consuming part of the\n\t     cryptographic handshake. These messages are usually\n\t     small, and generating them requires minimal computational\n\t     effort, enabling a denial-of-service attack. An\n\t     additional risk is the fact that higher key size\n\t     increases the effectiveness of the attack. Cryptographic\n\t     protocols where the clients have influence over the size\n\t     of the used key (such as TLS 1.3 or SSH) are most at\n\t     risk, as the client can enforce the highest key size\n\t     supported by the server."}]}, "Observed_Examples": {"Observed_Example": [{"Reference": "CVE-1999-0513", "Description": "Classic \"Smurf\" attack, using spoofed ICMP packets to broadcast addresses.", "Link": "https://www.cve.org/CVERecord?id=CVE-1999-0513"}, {"Reference": "CVE-2003-1564", "Description": "Parsing library allows XML bomb", "Link": "https://www.cve.org/CVERecord?id=CVE-2003-1564"}, {"Reference": "CVE-2004-2458", "Description": "Tool creates directories before authenticating user.", "Link": "https://www.cve.org/CVERecord?id=CVE-2004-2458"}, {"Reference": "CVE-2020-10735", "Description": "Python has \"quadratic complexity\" issue when converting string to int with many digits in unexpected bases", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-10735"}, {"Reference": "CVE-2020-5243", "Description": "server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.", "Link": "https://www.cve.org/CVERecord?id=CVE-2020-5243"}, {"Reference": "CVE-2013-5211", "Description": "composite: NTP feature generates large responses (high amplification factor) with spoofed UDP source addresses.", "Link": "https://www.cve.org/CVERecord?id=CVE-2013-5211"}, {"Reference": "CVE-2002-20001", "Description": "Diffie-Hellman (DHE) Key Agreement Protocol allows attackers to send arbitrary numbers that are not public keys, which causes the server to perform expensive, unnecessary computation of modular exponentiation.", "Link": "https://www.cve.org/CVERecord?id=CVE-2002-20001"}, {"Reference": "CVE-2022-40735", "Description": "The Diffie-Hellman Key Agreement Protocol allows use of long exponents, which are more computationally expensive than using certain \"short exponents\" with particular properties.", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-40735"}]}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Asymmetric resource consumption (amplification)"}, {"@Taxonomy_Name": "OWASP Top Ten 2004", "Entry_ID": "A9", "Entry_Name": "Denial of Service", "Mapping_Fit": "CWE More Specific"}, {"@Taxonomy_Name": "WASC", "Entry_ID": "41", "Entry_Name": "XML Attribute Blowup"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "TPS00-J", "Entry_Name": "Use thread pools to enable graceful degradation of service during traffic bursts"}, {"@Taxonomy_Name": "The CERT Oracle Secure Coding Standard for Java (2011)", "Entry_ID": "FIO04-J", "Entry_Name": "Release resources when they are no longer needed"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-1164"}}, "Mapping_Notes": {"Usage": "Allowed-with-Review", "Rationale": "This CWE entry is a Class and might have Base-level children that would be more appropriate", "Comments": "Examine children of this entry to see if there is a better fit", "Reasons": {"Reason": {"@Type": "Abstraction"}}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "Eric Dalci", "Modification_Organization": "Cigital", "Modification_Date": "2008-07-01", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-10-14", "Modification_Version": "1.0.1", "Modification_ReleaseDate": "2008-10-14", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-07-27", "Modification_Version": "1.5", "Modification_ReleaseDate": "2009-07-27", "Modification_Comment": "updated Common_Consequences, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-12-13", "Modification_Version": "1.11", "Modification_ReleaseDate": "2010-12-13", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences, Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-27", "Modification_Version": "2.0", "Modification_ReleaseDate": "2011-06-27", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Potential_Mitigations"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2015-12-07", "Modification_Version": "2.9", "Modification_ReleaseDate": "2015-12-07", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Functional_Areas"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-01-03", "Modification_Version": "3.2", "Modification_ReleaseDate": "2019-01-03", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-06-20", "Modification_Version": "3.3", "Modification_ReleaseDate": "2019-06-20", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Observed_Examples, Potential_Mitigations, References, Time_of_Introduction"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2024-02-29", "Modification_Version": "4.14", "Modification_ReleaseDate": "2024-02-29", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Szil\u00e1rd Pfeiffer", "Contribution_Organization": "Balasys IT Security", "Contribution_Date": "2021-11-11", "Contribution_Comment": "Submitted content that led to modifications in applicable platforms, common consequences, potential mitigations, demonstrative examples, observed examples."}}}
