Skip to content

Security Test: Depth limit

Description

Default Severity:

A GraphQL depth limit vulnerability happens when an attacker sends a very deeply nested query that forces your server to do much more work than it should. Because GraphQL doesn't automatically restrict how many levels deep a query can go, someone could intentionally create a query that drains server resources and slows or even crashes your service. This can open the door to denial-of-service attacks or make your application reveal more information than intended. Developers often overlook tightening these limits, leading to unintended resource allocation and potential security risks.

Reference:

Configuration

Identifier: resource_limitation/graphql_depth_limit

Examples

All configuration available:

checks:
  resource_limitation/graphql_depth_limit:
    skip: false # default
    options:
      threshold: 3 # default

Options

Options can be set in the options key of the Security Test Configuration.

Property Type Default Description
threshold number 3 Maximum depth before raising an alert (-1 = infinite).

Compliance and Standards

Standard Value
OWASP API Top 10 API4:2023
OWASP LLM Top 10 LLM04:2023
PCI DSS 6.5.1
GDPR Article-32
SOC2 CC6
PSD2 Article-95
ISO 27001 A.14.2
NIST SP800-53
FedRAMP SC-5
CWE 400
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
CVSS Score 5.1