Security Test: Pagination missing¶
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | Frontend Scanner |
|---|---|---|
Description¶
Default Severity:
If your API returns too much data at once because there's no limit on the results, it can overwhelm both the client and server. Without pagination, a request could pull back a huge dataset, which might slow down or even crash the system. This makes it easier for attackers to trigger denial-of-service conditions or expose more data than needed, especially when data is sensitive. Developers often miss this because it's tempting to simplify queries without considering the impact of unbounded responses, so always remember to limit and paginate your API results.
Reference:
Configuration¶
Identifier:
resource_limitation/pagination_missing
Examples¶
All configuration available:
checks:
resource_limitation/pagination_missing:
skip: false # default
options:
element_number_threshold: 250 # default
response_size_in_kb_threshold: 50 # default
response_time_in_ms_threshold: 500 # default
Increase the threshold
checks:
resource_limitation/pagination_missing:
skip: true
options:
element_number_threshold: 1000
response_size_in_kb_threshold: 200
response_time_in_ms_threshold: 5000
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
element_number_threshold | number | 250 | |
response_size_in_kb_threshold | number | 50 | |
response_time_in_ms_threshold | number | 500 |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 770 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVSS Score | 3.7 |