Security Test: Character limit¶
Description¶
Default Severity:
When there's no limit on how long a query can be, an attacker might send a query that’s excessively long to overwhelm the system or trick it into revealing internal details. This is dangerous because it can lead to a denial-of-service where the server struggles to process large requests, or even leak sensitive information if the query parsing exposes insights about the backend. Developers should be careful to impose limits or validations on the query lengths to avoid these issues.
Reference:
Configuration¶
Identifier:
resource_limitation/character_limit
Examples¶
All configuration available:
checks:
resource_limitation/character_limit:
skip: false # default
options:
threshold: 15000 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 15000 | Maximum characters before raising an alert (-1 = infinite) |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 400 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R |
| CVSS Score | 4.9 |