Java Denial Of Service By Sleep
Description
Detects potential Denial of Service vulnerabilities caused by Thread.sleep() calls with untrusted duration values in Java web applications. An attacker could exploit this by supplying manipulated input that triggers long sleep periods, causing the application to become unresponsive.
Detection Strategy
• Checks if the Java web application uses servlet imports (javax.servlet.http.* or jakarta.servlet.http.*)
• Identifies Thread.sleep() method calls in the codebase
• Verifies if the sleep duration parameter comes from untrusted sources like HTTP request parameters
• Reports a vulnerability when sleep duration can be controlled through user input in web request handlers
Vulnerable code example
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
public class VulnerableServlet extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
String userInput = req.getParameter("sleeptime"); // Untrusted user input directly controls sleep duration
Thread.sleep(Long.parseLong(userInput)); // Vulnerable: allows attacker to cause denial of service...✅ Secure code example
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
public class SecureServlet extends HttpServlet {
private static final long MAX_SLEEP_TIME = 5000; // Maximum allowed sleep time in milliseconds
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.