Skip to content

Security timeout

Description

Requests that take a long time to process can be used by attackers to create Denial-of-Service (DoS) situations.

This security test is based on an arbitrary timeout threshold that might not match your application's requirements. To learn how to change it, head over to the configuration section below.

Example: Querying getAllUsers(){ contacts { contacts }} returns a response after 15s.

Remediation

Implement a server timeout. For example, a server configured with a 5 seconds timeout would stop the execution of any query that takes over 5 seconds. Pros: - Simple to implement. - Most security strategies use a timeout as a final layer of protection. Cons: - Damage can already have been done before the timeout kicks in. - Can trigger other issues. Stoping connection after a certain time may result in strange behaviors and corrupt data. Warning : When a timeout is configured on the server, the socket may be closed while the underlying request continues. Make sure that the request is actually canceled.

GraphQL Specific

Apollo To mitigate security risks associated with the Apollo framework engine, ensure that all user inputs are validated and sanitized before processing. Implement proper authentication and authorization checks to prevent unauthorized access. Regularly update the Apollo framework and its dependencies to patch known vulnerabilities. Additionally, consider setting up a security timeout feature that automatically logs out users after a period of inactivity to reduce the risk of session hijacking.
Yoga To address the security timeout issue within the Yoga framework engine, ensure that session timeout values are appropriately configured to balance usability with security. Implement automatic session expiration after a defined period of inactivity, and prompt users to re-authenticate to continue their session. This helps to mitigate the risk of unauthorized access from unattended user sessions.
Awsappsync To enhance security within the AWS AppSync framework, it is recommended to implement a security timeout feature. This can be achieved by setting appropriate timeout values for resolvers to prevent excessively long-running operations that could potentially expose the system to denial-of-service attacks or unintended resource consumption. Configure the 'timeoutInMillis' field for each resolver to a sensible value that balances performance and security, ensuring that operations complete within an acceptable timeframe without compromising the system's stability or user experience.
Graphqlgo Implement a security timeout mechanism in the GraphQL Go framework engine to automatically terminate sessions that exceed a predefined period of inactivity. This helps to reduce the risk of unauthorized access from unattended sessions. Configure the timeout duration based on the sensitivity of the application's data and operations. Ensure that the timeout settings are enforced consistently across the application and that users are informed about the timeout policy to prevent data loss due to unexpected session termination.
Graphqlruby Implement query complexity analysis to prevent resource exhaustion attacks. Define a complexity budget and use the `max_complexity` setting in GraphQL-Ruby to enforce it. This will help to mitigate potential denial-of-service attacks by ensuring that overly complex queries cannot be executed.
Hasura Implement a security timeout mechanism in the Hasura framework engine to automatically terminate sessions after a period of inactivity. This reduces the risk of unauthorized access from unattended sessions. Configure the 'HASURA_GRAPHQL_JWT_SECRET' environment variable with an appropriate 'claims_namespace' and 'claims_format' to include custom claims for session timeout. Use these claims to enforce session expiration on the client-side, and ensure that the Hasura engine validates the expiration claim to prevent the use of expired tokens.
Agoo Implement a security timeout in the Agoo framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Ariadne Implement a request timeout in the Ariadne framework to prevent long-running queries from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Caliban Implement a security timeout in the Caliban framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Dgraph Implement a security timeout in the Dgraph framework to prevent long-running queries from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Dianajl Implement a security timeout in the DianaJL framework engine to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Directus Implement a request timeout configuration in Directus to prevent long-running queries from causing potential Denial-of-Service (DoS) vulnerabilities. Adjust the timeout settings according to your application's performance requirements to ensure optimal security and functionality.
Flutter Implement a request timeout mechanism in your Flutter application to prevent long-running requests from causing potential Denial-of-Service (DoS) vulnerabilities. Adjust the timeout duration according to your application's specific needs to ensure optimal performance and security.
Graphene Implement a request timeout in the Graphene framework to prevent long-running queries from causing Denial-of-Service (DoS) issues. Adjust the timeout threshold according to your application's performance requirements to ensure optimal security and functionality.
Graphqlapiforwp Implement a security timeout for GraphQL queries in the GraphQL API for WordPress framework to prevent potential Denial-of-Service (DoS) attacks by setting an appropriate timeout threshold based on your application's performance requirements.
Graphqlgophergo Implement a security timeout in the GraphQL GopherGo framework engine to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Graphqljava Implement a security timeout in your GraphQL Java framework to prevent long-running queries from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Graphqlphp Implement a request timeout configuration in the GraphQL PHP framework to prevent long-running queries from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's performance requirements to ensure optimal security and functionality.
Graphqlyoga Implement a security timeout in the GraphQL Yoga framework to prevent long-running queries from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Hypergraphql Implement a request timeout configuration in the HyperGraphQL framework to prevent long-running queries from causing Denial-of-Service (DoS) vulnerabilities.
Jaal Implement a security timeout to prevent long-running requests that could lead to Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Juniper Implement a security timeout in the Juniper framework engine to prevent long-running requests from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific requirements to ensure optimal performance and security.
Lacinia Implement a security timeout in the Lacinia framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Lighthouse Implement a security timeout to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Mercurius Implement a security timeout in the Mercurius framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Morpheusgraphql Implement a security timeout in the MorpheusGraphQL framework engine to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Qglgen Implement a request timeout configuration in gqlgen to prevent long-running queries from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's performance requirements to ensure optimal security and functionality.
Sangria Implement a request timeout configuration in the Sangria framework to prevent long-running queries from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Shopify Implement a security timeout for long-running requests to prevent potential Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your Shopify application's specific requirements to ensure optimal performance and security.
Stepzen Implement a security timeout in the StepZen framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Strawberry Implement a security timeout in the Strawberry framework to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Tartiflette Implement a request timeout configuration in the Tartiflette framework to prevent long-running queries from causing Denial-of-Service (DoS) situations.
Wpgraphql Implement a security timeout to prevent long-running requests in the WPGraphQL framework, which can be exploited for Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.

REST Specific

Asp_net Implement request timeout limits and optimize long-running processes within the ASP.NET application to prevent potential DoS attacks.
Ruby_on_rails Implement request timeout settings in your Ruby on Rails application to prevent long-running requests from causing a Denial-of-Service (DoS). Configure Rack::Timeout or a similar middleware to define a maximum time a request can take, and ensure that your web server (e.g., Puma, Unicorn) has appropriate timeout settings as well.
Next_js Implement server-side request timeout limits and use efficient data retrieval methods to prevent long-running queries that could lead to DoS attacks.
Laravel Implement request throttling and set a maximum execution time for queries in Laravel by using middleware to prevent long-running requests that could lead to DoS attacks.
Express_js Implement rate limiting and set up a maximum request timeout in your Express.js application to prevent long-running requests from causing DoS. Use middleware like `express-rate-limit` for rate limiting and set the `timeout` property on the server to define a maximum request processing time.
Django Implement request timeouts and limit the number of concurrent connections in your Django application to mitigate potential DoS attacks. Use Django's built-in features to set a reasonable timeout value for database operations and consider using a reverse proxy like Nginx to manage timeouts for client connections.
Symfony Implement a request timeout mechanism in Symfony by configuring the 'max_execution_time' in your 'php.ini' file or by using the 'set_time_limit()' function in your PHP scripts to prevent long-running requests. Additionally, consider using Symfony's 'RequestStack' and 'KernelEvents' to create custom event listeners that can track request duration and terminate requests that exceed a predefined threshold.
Spring_boot Implement a global timeout configuration for all requests in Spring Boot by using the `spring.mvc.async.request-timeout` property in `application.properties` or `application.yml`. Additionally, consider using `@Async` annotation with a custom `Executor` that has a timeout policy to handle long-running tasks without blocking the main thread.
Flask Implement request timeout handling in Flask by using the `timeout` decorator from Flask-Timeout or setting up a custom timeout mechanism to ensure long-running requests are terminated, preventing potential DoS attacks.
Nuxt Implement server-side request timeout settings and client-side timeout warnings to prevent long-running requests from causing DoS. In Nuxt.js, configure the server middleware to manage request processing time and set timeouts appropriately.
Fastapi Implement request timeout handling in FastAPI by using dependencies to create a timer that will cancel long-running requests. Adjust the timeout threshold based on your application's performance profile to prevent potential DoS attacks.
Frappe Implement a request timeout mechanism in the Frappe framework to prevent long-running queries from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Genzio Implement a security timeout in the Genzio framework engine to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Gin Implement request timeouts in the Gin framework to prevent long-running requests from causing Denial-of-Service (DoS) situations. Configure the server to set a reasonable timeout duration that aligns with your application's performance requirements.
Gorilla Implement a security timeout to prevent long-running requests from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific requirements to ensure optimal performance and security.
Hapi Implement request timeouts in the Hapi framework to prevent long-running requests from causing Denial-of-Service (DoS) situations. Configure the server's timeout settings to align with your application's performance requirements.
Hono Implement a security timeout to prevent long-running requests from causing Denial-of-Service (DoS) situations. Adjust the timeout threshold according to your application's specific requirements to ensure optimal performance and security.
Jersey Implement request timeouts in the Jersey framework to prevent long-running requests from causing Denial-of-Service (DoS) situations. Configure a reasonable timeout threshold based on your application's performance requirements to ensure timely responses and maintain service availability.
Koa Implement a request timeout middleware in your Koa application to prevent long-running requests from causing Denial-of-Service (DoS) issues. Configure the timeout duration according to your application's needs to ensure optimal performance and security.
Ktor Implement request timeouts in Ktor by configuring the server's timeout settings to prevent long-running requests and mitigate potential Denial-of-Service (DoS) attacks.
Leptos Implement a request timeout mechanism in the Leptos framework to prevent long-running requests from causing Denial-of-Service (DoS) vulnerabilities.
Macaron Implement request timeouts in the Macaron framework to prevent long-running requests from causing Denial-of-Service (DoS) issues. Configure the timeout settings according to your application's specific needs to ensure optimal performance and security.
Phoenix Implement a request timeout in the Phoenix framework to prevent long-running requests from causing Denial-of-Service (DoS) issues. Adjust the timeout settings in your endpoint configuration to suit your application's performance requirements.
Redwoodjs Implement request timeouts in RedwoodJS to prevent long-running queries from causing Denial-of-Service (DoS) vulnerabilities. Adjust the timeout settings in your RedwoodJS configuration to align with your application's performance requirements.
Rocket Implement a security timeout to prevent long-running requests from causing Denial-of-Service (DoS) attacks. Adjust the timeout threshold according to your application's specific needs to ensure optimal performance and security.
Sveltekit Implement request timeouts in your SvelteKit application to prevent long-running requests from causing Denial-of-Service (DoS) vulnerabilities. Adjust the timeout settings in your server configuration to align with your application's performance requirements.

Configuration

Identifier: resource_limitation/timeout

Options

  • threshold_info : Duration of a request (in seconds) before raising a info level alert
  • threshold_low : Duration of a request (in seconds) before raising a low level alert
  • threshold_medium : Duration of a request (in seconds) before raising a medium level alert

Examples

Ignore this check

checks:
  resource_limitation/timeout:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM04:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4

Classification

  • CWE: 400

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References