Security timeout
Description
Requests that take a long time to process can be used by attackers to create Denial-of-Service (DoS) situations.
This security test is based on an arbitrary timeout threshold that might not match your application's requirements. To learn how to change it, head over to the configuration section below.
Example: Querying getAllUsers(){ contacts { contacts }}
returns a response after 15s.
Remediation
Implement a server timeout. For example, a server configured with a 5 seconds timeout would stop the execution of any query that takes over 5 seconds. Pros: - Simple to implement. - Most security strategies use a timeout as a final layer of protection. Cons: - Damage can already have been done before the timeout kicks in. - Can trigger other issues. Stoping connection after a certain time may result in strange behaviors and corrupt data. Warning : When a timeout is configured on the server, the socket may be closed while the underlying request continues. Make sure that the request is actually canceled.
GraphQL Specific
Apollo
To mitigate security risks associated with the Apollo framework engine, ensure that all user inputs are validated and sanitized before processing. Implement proper authentication and authorization checks to prevent unauthorized access. Regularly update the Apollo framework and its dependencies to patch known vulnerabilities. Additionally, consider setting up a security timeout feature that automatically logs out users after a period of inactivity to reduce the risk of session hijacking.
Yoga
To address the security timeout issue within the Yoga framework engine, ensure that session timeout values are appropriately configured to balance usability with security. Implement automatic session expiration after a defined period of inactivity, and prompt users to re-authenticate to continue their session. This helps to mitigate the risk of unauthorized access from unattended user sessions.
Awsappsync
To enhance security within the AWS AppSync framework, it is recommended to implement a security timeout feature. This can be achieved by setting appropriate timeout values for resolvers to prevent excessively long-running operations that could potentially expose the system to denial-of-service attacks or unintended resource consumption. Configure the 'timeoutInMillis' field for each resolver to a sensible value that balances performance and security, ensuring that operations complete within an acceptable timeframe without compromising the system's stability or user experience.
Graphqlgo
Implement a security timeout mechanism in the GraphQL Go framework engine to automatically terminate sessions that exceed a predefined period of inactivity. This helps to reduce the risk of unauthorized access from unattended sessions. Configure the timeout duration based on the sensitivity of the application's data and operations. Ensure that the timeout settings are enforced consistently across the application and that users are informed about the timeout policy to prevent data loss due to unexpected session termination.
Graphqlruby
Implement query complexity analysis to prevent resource exhaustion attacks. Define a complexity budget and use the max_complexity
setting in GraphQL-Ruby to enforce it. This will help to mitigate potential denial-of-service attacks by ensuring that overly complex queries cannot be executed.
Hasura
Implement a security timeout mechanism in the Hasura framework engine to automatically terminate sessions after a period of inactivity. This reduces the risk of unauthorized access from unattended sessions. Configure the 'HASURA_GRAPHQL_JWT_SECRET' environment variable with an appropriate 'claims_namespace' and 'claims_format' to include custom claims for session timeout. Use these claims to enforce session expiration on the client-side, and ensure that the Hasura engine validates the expiration claim to prevent the use of expired tokens.
REST Specific
Asp_net
Implement request timeout limits and optimize long-running processes within the ASP.NET application to prevent potential DoS attacks.
Ruby_on_rails
Implement request timeout settings in your Ruby on Rails application to prevent long-running requests from causing a Denial-of-Service (DoS). Configure Rack::Timeout or a similar middleware to define a maximum time a request can take, and ensure that your web server (e.g., Puma, Unicorn) has appropriate timeout settings as well.
Next_js
Implement server-side request timeout limits and use efficient data retrieval methods to prevent long-running queries that could lead to DoS attacks.
Laravel
Implement request throttling and set a maximum execution time for queries in Laravel by using middleware to prevent long-running requests that could lead to DoS attacks.
Express_js
Implement rate limiting and set up a maximum request timeout in your Express.js application to prevent long-running requests from causing DoS. Use middleware like express-rate-limit
for rate limiting and set the timeout
property on the server to define a maximum request processing time.
Django
Implement request timeouts and limit the number of concurrent connections in your Django application to mitigate potential DoS attacks. Use Django's built-in features to set a reasonable timeout value for database operations and consider using a reverse proxy like Nginx to manage timeouts for client connections.
Symfony
Implement a request timeout mechanism in Symfony by configuring the 'max_execution_time' in your 'php.ini' file or by using the 'set_time_limit()' function in your PHP scripts to prevent long-running requests. Additionally, consider using Symfony's 'RequestStack' and 'KernelEvents' to create custom event listeners that can track request duration and terminate requests that exceed a predefined threshold.
Spring_boot
Implement a global timeout configuration for all requests in Spring Boot by using the spring.mvc.async.request-timeout
property in application.properties
or application.yml
. Additionally, consider using @Async
annotation with a custom Executor
that has a timeout policy to handle long-running tasks without blocking the main thread.
Flask
Implement request timeout handling in Flask by using the timeout
decorator from Flask-Timeout or setting up a custom timeout mechanism to ensure long-running requests are terminated, preventing potential DoS attacks.
Nuxt
Implement server-side request timeout settings and client-side timeout warnings to prevent long-running requests from causing DoS. In Nuxt.js, configure the server middleware to manage request processing time and set timeouts appropriately.
Fastapi
Implement request timeout handling in FastAPI by using dependencies to create a timer that will cancel long-running requests. Adjust the timeout threshold based on your application's performance profile to prevent potential DoS attacks.
Configuration
Identifier:
resource_limitation/timeout
Options
- threshold_info : Duration of a request (in seconds) before raising a info level alert
- threshold_low : Duration of a request (in seconds) before raising a low level alert
- threshold_medium : Duration of a request (in seconds) before raising a medium level alert
Examples
Ignore this check
checks:
resource_limitation/timeout:
skip: true
Score
- Escape Severity: INFO
Compliance
OWASP: API7:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 400
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
- CVSS_SCORE: 7.2