Skip to content
Home » Blogs » Unrestricted Resource Consumption Testing: API4:2023

Unrestricted Resource Consumption Testing: API4:2023


    API4:2023 Unrestricted Resource Consumption, also known as “Resource Exhaustion” or “Denial-of-Service (DoS),” is a critical vulnerability that can impact the availability and performance of an API. In this blog post, we will delve into the process of testing, performing, and exploiting this vulnerability using popular tools like Postman and Burp Suite.

    Testing Setup:

    To begin, we need a testing setup comprising an API endpoint that exhibits the vulnerability we want to exploit. Let’s consider a simple e-commerce API that provides a search functionality. We will assume that this API has a vulnerability where it does not limit the amount of data returned in response to a search query.

    1. Setting Up the API Endpoint:

    In this example, let’s assume the search endpoint is: “`  GET /api/search  “`  Ensure that the API is running and accessible for testing purposes.

    1. Testing Tools:

    For this demonstration, we will utilize two popular tools: Postman and Burp Suite. Postman allows us to construct API requests easily, while Burp Suite acts as a proxy to intercept and manipulate these requests.

    Testing the Vulnerability with Postman:

    Postman simplifies the process of crafting API requests and analysing responses. Follow these steps to test the API for unrestricted resource consumption:

    1. Open Postman and create a new request.
    2. Set the request method to GET and enter the API endpoint: `/api/search`.
    3. Craft a search query with many wildcards or a non-existent item to simulate resource-intensive requests.
    4. Send the request and observe the response time and data returned.
    5. Repeat the process with different variations of large or complex queries to assess the impact on system resources.

    Analyzing and Exploiting the Vulnerability with Burp Suite:

    Burp Suite is a powerful tool that allows us to intercept, modify, and analyze HTTP requests and responses. By leveraging its capabilities, we can gain deeper insights into the vulnerability and potentially exploit it further. Follow these steps to utilize Burp Suite:

    1. Configure Burp Suite as a proxy:
    2. Open Burp Suite and go to the “Proxy” tab.
    3. Ensure the “Intercept” option is enabled.
    4. Configure your browser or Postman to use Burp Suite as the proxy.
    5. Intercept the request:
    6. Make a search request in Postman.
    7. In Burp Suite, you will see the intercepted request in the “Proxy” tab.
    8. Right-click on the request and choose “Send to Repeater” to analyze and manipulate it.
    9. Analyze the request in Repeater:
    10. In the “Repeater” tab, you can modify the request parameters, including the search query.
    11. Experiment with different variations of queries to observe the impact on the API and system resources.
    12. Note the response time, server load, and any errors or anomalies observed.
    13. Exploiting the vulnerability:
    14. Craft requests that intentionally consume excessive resources, such as large search queries or highly complex filters.
    15. Observe the impact on the system, such as increased response time, server load, or potential errors.
    16. Document the behavior and gather evidence to support the identification of the vulnerability.


    Testing, performing, and exploiting the API4:2023 Unrestricted Resource Consumption vulnerability are essential steps in ensuring the security and reliability of APIs. By using tools like Postman and Burp Suite, developers and security professionals can understand the potential risks associated with unrestricted resource consumption and take appropriate measures to mitigate them. It is crucial to identify and address these vulnerabilities early in the development lifecycle to protect the API infrastructure and maintain a high level of service availability and performance.


    API4:2023 Unrestricted Resource Consumption – OWASP API Security Top 10

    For further clarifications or support, please write to

    Leave a Reply

    Your email address will not be published. Required fields are marked *