Security Test: Batch Limit¶
Description¶
Default Severity:
The Batch Limit vulnerability happens when a GraphQL engine lets users send many queries in one go, and attackers can exploit this to slip past safeguards like rate limits. Instead of one request per query, a malicious user can bundle many queries together, overwhelming the system, bypassing security checks, or even causing a denial-of-service scenario. Developers need to be cautious about how many queries are allowed in one request and ensure their safeguards still work even when multiple queries are combined, as the default setup can be turned into an open door for abuse.
Reference:
Configuration¶
Identifier:
resource_limitation/graphql_batch_limit
Examples¶
All configuration available:
checks:
resource_limitation/graphql_batch_limit:
skip: false # default
options:
threshold: 15 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 15 | Maximum number of batched documents allowed to be sent |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-2 |
| CWE | 770 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:R |
| CVSS Score | 4.9 |