Timeout

Overview

The API server didn't respond in a reasonable time, so the fuzzer gave up on this request.

This issue can lead to an efficient Denial-of-Service attack. An attacker can leverage problematic requests to consume server resources disproportionate to their own effort.

Recommendation

Ensure that there aren't specific request payloads that cause extremely slow responses.

Mayhem for API (and fuzzing in general!) expects to be able to exercise the target quickly. Even if you consider this to be a false positive from a security standpoint, you will get better coverage if you keep your responses fast!

Examples

Here's a FastAPI example which is vulnerable to an (extremely contrived!) time-based Denial-of-Service attack:

from fastapi import FastAPI
import time

app = FastAPI()

@app.get("/test/{id}")
def test(id: int):
    if id == 9:
        time.sleep(10)
    return {"id": id}

We can see that this endpoint behaves very differently for the specific input '9', like so:

$ time curl localhost:8000/test/1
{"id":1}
real    0m0.013s
user    0m0.004s
sys 0m0.006s
$ time curl localhost:8000/test/9
{"id":9}
real    0m10.019s
user    0m0.005s
sys 0m0.008s

The second request, which took over ten seconds, is the kind of behavior we're talking about on this page. More realistic examples might involve complex regular expressions, high-cardinality database queries, and so on. From the Mayhem for API perspective, these all look the same: the server didn't reply in a reasonable timeframe.

If you've determined that this kind of slow response time isn't problematic behavior, you can prevent mapi from generating these issues by passing --ignore-rule Timeout to the "mapi run" command.

References

• Common Weakness Enumeration: CWE-730.