Security Test: Security timeout¶

Description¶

Default Severity:

When an application doesn’t set suitable limits on how long a request can run, attackers can purposely send heavy or complex requests that take too long to process, tying up resources and potentially denying service to legitimate users. This issue usually happens when developers rely on arbitrary timeout thresholds that don’t necessarily match the real-world demands of the application, leading to a situation where even a single carefully crafted query can slow down or temporarily incapacitate the service. Being unaware of proper timeout settings or defaulting to ones that are too generous is a common pitfall, and it leaves the system open to abuse and performance degradation.

Reference:

https://medium.com/workflowgen/graphql-query-timeout-and-complexity-management-fab4d7315d8d

Configuration¶

Identifier: frontend_resource_limitation/timeout

Examples¶

All configuration available:

checks:
  frontend_resource_limitation/timeout:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM04:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`400`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C`
CVSS Score	`7.2`