Sleep Injection

ID

php.sleep_injection

Severity

critical

Resource

Injection

Language

Php

Tags

CWE:400, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1, PCI-DSS:6.5.6

Description

Improper neutralization of external input used to make a thread to wait.

Rationale

Sleep injection vulnerabilities occur when user-controlled inputs influence the duration of sleep statements, leading to potential exploitation by attackers to cause performance issues.

These vulnerabilities, categorized under CWE-400, can be caused by improper handling of user input without sufficient validation or sanitization, allowing malicious parties to submit large delays that can hinder application availability and responsiveness.

For example, consider the following piece of PHP code:

<?php
  // Vulnerable usage
  $delay = $_GET['timeout']; // no validation
  sleep($delay);
  echo "Done waiting";
?>

An attacker can access the page like so: http://example.com/page.php?timeout=9999

This causes the server to hang unnecessarily, potentially leading to service degradation or full denial of service if executed repeatedly or in parallel.

Remediation

To mitigate sleep injection issues in Java, you should ensure proper validation and sanitization of all user inputs that control sleep durations. Employing input validation to enforce sane limits on sleep duration can prevent misuse.

Here’s an example remediation approach:

<?php
  // Secure usage
  $max_delay = 5; // seconds
  $delay = isset($_GET['timeout']) ? intval($_GET['timeout']) : 0;

  if ($delay < 0 || $delay > $max_delay) {
    $delay = $max_delay; // enforce safe boundaries
  }

  sleep($delay);
  echo "Done waiting";
?>

Best Practices:

  • Never use untrusted input directly with execution delay functions.

  • Use type casting and limit values with min()/max() or conditional boundaries.

  • Log unusual delay requests for monitoring and investigation.

  • Consider removing or replacing unnecessary use of delay functions in public-facing endpoints.

By controlling the input range and rejecting or limiting maliciously large inputs, you can prevent abuse of timing mechanisms and ensure application resilience.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check.

  • neutralizations, that indicates the neutralization kinds to check.

Unless you need to change the default behavior, you typically do not need to configure this detector.

References