Security Test: Cyclic query¶
Description¶
Default Severity:
GraphQL lets you nest objects, but if not carefully controlled, malicious users can craft queries that go extremely deep, almost like a runaway loop. This can overwhelm your server, using up memory or processing power until it can't handle any more requests, effectively causing a denial of service. The risk comes from not setting limits on how deeply these queries can be nested, which is a common oversight that can leave your service vulnerable to attacks.
Reference:
Configuration¶
Identifier:
resource_limitation/cyclic_query
Examples¶
All configuration available:
checks:
resource_limitation/cyclic_query:
skip: false # default
options:
skip_objects: # cf. Options below
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
skip_objects | List[string] | List of object that are to be skipped by the security test. |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.1 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-97 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-4 |
| CWE | 400 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |