Resource Limitation: GraphQL Batch Limit¶

Identifier: graphql_batch_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

The Batch Limit vulnerability happens when a GraphQL engine lets users send many queries in one go, and attackers can exploit this to slip past safeguards like rate limits. Instead of one request per query, a malicious user can bundle many queries together, overwhelming the system, bypassing security checks, or even causing a denial-of-service scenario. Developers need to be cautious about how many queries are allowed in one request and ensure their safeguards still work even when multiple queries are combined, as the default setup can be turned into an open door for abuse.

References:

https://lab.wallarm.com/graphql-batching-attack/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_batch_limit:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.