Resource Limitation: GraphQL Alias Limit¶

Identifier: graphql_alias_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

GraphQL's alias feature lets you use different names for the same sub-query, which sounds handy until attackers use it to sneak multiple similar queries in one go without tripping defensive measures like rate limiting. Essentially, if you're not careful, someone might flood your server with a lot of requests that all look like one legitimate query, letting them exhaust resources or hide harmful requests. This vulnerability stems from treating each alias as a separate entity and not counting them properly when limiting query requests. Developers often fall into the trap of assuming rate limits are foolproof without considering how aliasing might let malicious users bypass those controls, potentially leading to performance issues or denial of service if left unaddressed.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_alias_limit:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.