Security Test: Field limit¶
Description¶
Default Severity:
The vulnerability happens when systems accept queries containing an excessive number of fields, which can overwhelm resources or accidentally reveal sensitive data. Attackers can intentionally create overly complex queries to stress the server, leading to performance issues or even a denial of service, while also potentially exposing more information than intended. Developers sometimes overlook imposing strict limits on query complexity, leaving systems at risk if attackers exploit these weaknesses.
Reference:
Configuration¶
Identifier:
resource_limitation/graphql_field_limit
Examples¶
All configuration available:
checks:
resource_limitation/graphql_field_limit:
skip: false # default
options:
threshold: 100 # default
Options¶
Options can be set in the options key of the Security Test Configuration.
| Property | Type | Default | Description |
|---|---|---|---|
threshold | number | 100 | Maximum fields before raising an alert (-1 = infinite). |
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API4:2023 |
| OWASP LLM Top 10 | LLM04:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 770 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C |
| CVSS Score | 5.1 |