Resource Limitation: GraphQL Alias Limit¶

Identifier: graphql_alias_limit

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

GraphQL aliases allow multiple queries with different names in a single request, which attackers can exploit to bypass rate limiting and exhaust server resources.

How we test: We send GraphQL queries using multiple aliases to execute the same query multiple times in a single request. We analyze responses and server behavior to detect if alias usage can bypass rate limiting or cause resource exhaustion.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_alias_limit:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.