Security Test: Automatic Persisted Queries¶

Description¶

Default Severity:

When you rely on full query strings every time a client makes a GraphQL request, the server ends up parsing huge, sometimes complex queries repeatedly. Automatic Persisted Queries let you send just a short, unique identifier instead of the whole query, which cuts down on processing time and network load. The risk comes from not properly linking that identifier to a validated query, leaving room for attackers to send misleading or oversized requests that force the server to do unnecessary, heavy work. This can slow down your backend significantly or even open the door to denial-of-service scenarios if an attacker floods your server with bogus requests, a common pitfall when proper validation and rate limits aren’t in place.

Reference:

https://www.apollographql.com/docs/apollo-server/performance/apq/

Configuration¶

Identifier: configuration/graphql_apq

Examples¶

All configuration available:

checks:
  configuration/graphql_apq:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API8:2023
OWASP LLM Top 10	LLM04:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-97`
ISO 27001	`A.12.6`
NIST	`SP800-53`
FedRAMP	`AC-2`
CWE	`400`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:F/RL:O/RC:C`
CVSS Score	`4.9`