Security Test: Alias limit¶
Description¶
Default Severity:
GraphQL's alias feature lets you use different names for the same sub-query, which sounds handy until attackers use it to sneak multiple similar queries in one go without tripping defensive measures like rate limiting. Essentially, if you're not careful, someone might flood your server with a lot of requests that all look like one legitimate query, letting them exhaust resources or hide harmful requests. This vulnerability stems from treating each alias as a separate entity and not counting them properly when limiting query requests. Developers often fall into the trap of assuming rate limits are foolproof without considering how aliasing might let malicious users bypass those controls, potentially leading to performance issues or denial of service if left unaddressed.
Reference:
Configuration¶
Identifier:
resource_limitation/graphql_alias_limit
Examples¶
All configuration available:
checks:
resource_limitation/graphql_alias_limit:
skip: false # default
options:
threshold: 10 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 10 | Maximum aliases before raising an alert (-1 = infinite). |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API5:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-97 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-2 |
| CWE | 770 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |