Findings
Average Request Payload Size Elevated
Updated: June 19, 2025
Description
The average request payload size has increased during the current observation period.
The average request payload size of the API has significantly increased, surpassing the mean average plus one standard deviation from the preceding period. This means that requests sent to the API are now containing more data than usual. This elevation in payload size could be caused by changes in the client-side applications, updates in API features, or possibly an attack where malicious or large data sets are being submitted in an attempt to overwhelm the system or extract more resources.
Example Attack
An attacker could exploit the increased request payload size by sending a large, malicious payload designed to overwhelm the API or its backend systems. For example, the attacker may send a massive payload to bypass rate-limiting and data validation mechanisms or to exploit potential vulnerabilities such as buffer overflows or memory exhaustion.
- Denial of Service (DoS): An attacker could send requests with exceptionally large payloads to exhaust server resources, leading to slower response times, timeouts, or even server crashes.
- SQL Injection or Data Exfiltration: Large payloads containing crafted SQL queries or sensitive data could be used to exploit SQL injection vulnerabilities, potentially accessing or corrupting the database.
Remediation
Investigate what has caused the request payloads sent to this API to increase significantly in size.
Security Frameworks
Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.