Sleep Injection

ID

java.sleep_injection

Severity

critical

Resource

Injection

Language

Java

Tags

CWE:400, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1, PCI-DSS:6.5.6

Description

Improper neutralization of external input used to make a thread to wait.

Rationale

Sleep injection vulnerabilities occur when user-controlled inputs influence the duration of sleep statements, leading to potential exploitation by attackers to cause performance issues.

These vulnerabilities, categorized under CWE-400, can be caused by improper handling of user input without sufficient validation or sanitization, allowing malicious parties to submit large delays that can hinder application availability and responsiveness.

For example, consider the following piece of Java code:

public void delayResponse(String input) throws InterruptedException {
    int sleepTime = Integer.parseInt(input);
    Thread.sleep(sleepTime);
}

In this case, if the input is controlled by the user and converted directly into an integer that dictates the sleep time, an attacker might provide excessively high values that could cause the system to sleep for unreasonable amounts of time, effectively putting the service into a Denial of Service condition.

Remediation

To mitigate sleep injection issues in Java, you should ensure proper validation and sanitization of all user inputs that control sleep durations. Employing input validation to enforce sane limits on sleep duration can prevent misuse.

Here’s an example remediation approach:

public void delayResponse(String input) throws InterruptedException {
    int defaultSleepTime = 1000; // default to 1 second
    int maxSleepTime = 5000; // set max limit to 5 seconds
    int sleepTime;

    try {
        sleepTime = Integer.parseInt(input);
    } catch (NumberFormatException e) {
        sleepTime = defaultSleepTime; // fallback to default if parsing fails
    }

    sleepTime = Math.max(0, Math.min(sleepTime, maxSleepTime)); // enforce bounds
    Thread.sleep(sleepTime);
}

By implementing checks on the input, setting reasonable defaults, and ensuring the sleep time is within an acceptable range, you reduce the risk of sleep injection vulnerabilities. Moreover, consider logging any invalid input attempts for monitoring and correcting potentially malicious activities.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References