Resource Limitation: GraphQL Width Limit¶

Identifier: graphql_width_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Without limits on how many nested subfields a GraphQL query can request, an attacker might craft an overly large query that strains your system by requesting far more data than intended. This vulnerability is dangerous because it can lead to performance issues, such as slowing down or even crashing the server, and it might expose more information than expected. Developers often overlook setting restrictions on query depth or width, which leaves applications open to denial-of-service attacks and unintentional data leakage if not properly managed.

References:

https://www.apollographql.com/blog/graphql/security/securing-your-graphql-api-from-malicious-queries/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_width_limit:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.