Resource Limitation: Security timeout¶

Identifier: timeout

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

When an application doesnt set suitable limits on how long a request can run, attackers can purposely send heavy or complex requests that take too long to process, tying up resources and potentially denying service to legitimate users. This issue usually happens when developers rely on arbitrary timeout thresholds that dont necessarily match the real-world demands of the application, leading to a situation where even a single carefully crafted query can slow down or temporarily incapacitate the service. Being unaware of proper timeout settings or defaulting to ones that are too generous is a common pitfall, and it leaves the system open to abuse and performance degradation.

References:

https://medium.com/workflowgen/graphql-query-timeout-and-complexity-management-fab4d7315d8d

Configuration¶

Example¶

Example configuration:

---
security_tests:
  timeout:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.