Security Test: Depth limit¶
Description¶
Default Severity:
A GraphQL depth limit vulnerability happens when an attacker sends a very deeply nested query that forces your server to do much more work than it should. Because GraphQL doesn't automatically restrict how many levels deep a query can go, someone could intentionally create a query that drains server resources and slows or even crashes your service. This can open the door to denial-of-service attacks or make your application reveal more information than intended. Developers often overlook tightening these limits, leading to unintended resource allocation and potential security risks.
Reference:
Configuration¶
Identifier:
resource_limitation/graphql_depth_limit
Examples¶
All configuration available:
checks:
resource_limitation/graphql_depth_limit:
skip: false # default
options:
threshold: 3 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 3 | Maximum depth before raising an alert (-1 = infinite). |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API4:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.1 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | SC-5 |
| CWE | 400 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |