Skip to content

Security Test: Width limit

Description

Default Severity:

Without limits on how many nested subfields a GraphQL query can request, an attacker might craft an overly large query that strains your system by requesting far more data than intended. This vulnerability is dangerous because it can lead to performance issues, such as slowing down or even crashing the server, and it might expose more information than expected. Developers often overlook setting restrictions on query depth or width, which leaves applications open to denial-of-service attacks and unintentional data leakage if not properly managed.

Reference:

Configuration

Identifier: resource_limitation/graphql_width_limit

Examples

All configuration available:

checks:
  resource_limitation/graphql_width_limit:
    skip: false # default
    options:
      threshold: 20 # default

Options

Options can be set in the options key of the Security Test Configuration.

Property Type Default Description
threshold number 20 Maximum width before raising an alert (-1 = infinite).

Compliance and Standards

Standard Value
OWASP API Top 10 API4:2023
OWASP LLM Top 10 LLM04:2023
PCI DSS 6.5.10
GDPR Article-32
SOC2 CC6
PSD2 Article-94
ISO 27001 A.14.2
NIST SP800-53
FedRAMP SC-5
CWE 770
CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
CVSS Score 5.1