Skip to content

Resource Limitation: GraphQL Cyclic Recursive Query

Identifier: graphql_circular_introspection

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

When an attacker sends a query that causes objects to reference each other in a loop, it can make the returned data grow exponentially. Essentially, the vulnerability arises when your system doesn't properly manage these circular calls, so each repeated reference adds more data until it overwhelms your server's capacity. This can lead to a Denial of Service, making your system slow or completely unavailable. Many developers fall into the trap of assuming that the query size will automatically be capped or that such recursive scenarios wont occur, leaving the system exposed if those safeguards arent explicitly set up.

Configuration

Example

Example configuration:

---
security_tests:
  graphql_circular_introspection:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.