Security Test: Width limit¶
Description¶
Default Severity:
Without limits on how many nested subfields a GraphQL query can request, an attacker might craft an overly large query that strains your system by requesting far more data than intended. This vulnerability is dangerous because it can lead to performance issues, such as slowing down or even crashing the server, and it might expose more information than expected. Developers often overlook setting restrictions on query depth or width, which leaves applications open to denial-of-service attacks and unintentional data leakage if not properly managed.
Reference:
Configuration¶
Identifier:
resource_limitation/graphql_width_limit
Examples¶
All configuration available:
checks:
resource_limitation/graphql_width_limit:
skip: false # default
options:
threshold: 20 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 20 | Maximum width before raising an alert (-1 = infinite). |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API4:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-94 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | SC-5 |
| CWE | 770 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |