Two list endpoints — one dumps all 500 records in a single response with no limits. The other paginates correctly. Find the unbounded endpoint and measure the payload size difference.
Resource exhaustion occurs when an API returns unlimited data in a single response — consuming excess memory, CPU, bandwidth, and browser rendering time. An attacker can trigger this repeatedly to degrade service. Missing pagination is one of the most common performance and security bugs in list endpoints.
| Bug | List All endpoint returns all 500 records in one response (~50KB+ payload) |
| Correct | List Paginated returns 20 records per page with total count and page metadata |
List All (No Limit) and check how many records and bytes are returnedList Paginated and note the page size and total count