Security Test: Pagination missing¶
Description¶
Default Severity:
If your API returns too much data at once because there's no limit on the results, it can overwhelm both the client and server. Without pagination, a request could pull back a huge dataset, which might slow down or even crash the system. This makes it easier for attackers to trigger denial-of-service conditions or expose more data than needed, especially when data is sensitive. Developers often miss this because it's tempting to simplify queries without considering the impact of unbounded responses, so always remember to limit and paginate your API results.
Reference:
Configuration¶
Identifier:
resource_limitation/pagination_missing
Examples¶
All configuration available:
checks:
resource_limitation/pagination_missing:
skip: false # default
options:
threshold_high: 250 # default
threshold_low: 20 # default
threshold_medium: 100 # default
Increase the threshold
checks:
resource_limitation/pagination_missing:
skip: true
threshold_low: 1000
threshold_medium: 2000
threshold_high: 5000
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold_high | number | 250 | Maximum number of nodes returned before raising a low level alert. |
threshold_low | number | 20 | Maximum number of nodes returned before raising a low level alert. |
threshold_medium | number | 100 | Maximum number of nodes returned before raising a low level alert. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 770 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| CVSS Score | 3.7 |