Why it matters
Large payloads should be explicitly rejected with 413 Payload Too Large.
Responding with 400 Bad Request instead is misleading and can waste server resources, opening a trivial denial-of-service vector.
What was tested
- TEST: Large Payload Test
- Mutation: Inflated request body size (default 10 MB)
-
Expected:
413 Payload Too Large - Anything else: incorrect handling
Real impact
APIs that accept or parse oversized requests tie up memory/CPU unnecessarily, which attackers can exploit to degrade service availability.
OWASP context
Uncontrolled resource consumption and denial of service are known risk categories in OWASP; size limits should be enforced at the edge.
Real world example
This issue was found in a major API (ChatGPT API) and fixed within a day after reporting — underscoring the severity of incorrect payload handling.
Why this check exists in Rentgen
Ensures oversized requests are rejected properly, protecting your API from unnecessary work and obvious DoS vectors.
Top comments (0)