Resource Limitation: GraphQL Field Limit¶

Identifier: graphql_field_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

The vulnerability happens when systems accept queries containing an excessive number of fields, which can overwhelm resources or accidentally reveal sensitive data. Attackers can intentionally create overly complex queries to stress the server, leading to performance issues or even a denial of service, while also potentially exposing more information than intended. Developers sometimes overlook imposing strict limits on query complexity, leaving systems at risk if attackers exploit these weaknesses.

References:

https://www.apollographql.com/blog/graphql/security/securing-your-graphql-api-from-malicious-queries/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_field_limit:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.