Skip to content

Resource Limitation: GraphQL Field Duplication

Identifier: graphql_field_duplication

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

When a GraphQL query lets you repeat the same field many times, it might seem harmless, but it can be exploited. Attackers can flood the system with repeated fields, overwhelming CPU and memory resources, potentially making the server unresponsive. Developers sometimes miss this risk because the duplicated fields don't appear to add value in normal use, but if unchecked, this vulnerability can lead to denial of service and severe performance problems.

Configuration

Example

Example configuration:

---
security_tests:
  graphql_field_duplication:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.