Resource Limitation: GraphQL Depth Limit¶

Identifier: graphql_depth_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

A GraphQL depth limit vulnerability happens when an attacker sends a very deeply nested query that forces your server to do much more work than it should. Because GraphQL doesn't automatically restrict how many levels deep a query can go, someone could intentionally create a query that drains server resources and slows or even crashes your service. This can open the door to denial-of-service attacks or make your application reveal more information than intended. Developers often overlook tightening these limits, leading to unintended resource allocation and potential security risks.

References:

https://www.howtographql.com/advanced/4-security/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_depth_limit:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.