Skip to main content

Typing misconfiguration


Look for typing misconfigurations by checking if a mutation parameter with the wrong parameter type succeeds.


Do not resolve queries with a wrong argument type.

GraphQL Specific


Ensure that all configurations in the Apollo framework engine are correctly set according to the official Apollo documentation. Double-check environment variables, API endpoints, and other settings for accuracy. Use a version control system to track changes and facilitate rollback in case of misconfiguration. Additionally, consider implementing automated checks or a configuration management tool to validate settings before deployment.


Ensure that the Yoga framework engine configuration files are correctly set with the appropriate parameters, paying close attention to syntax and data types. Validate the configuration by using schema validation tools or built-in framework validators if available. Regularly review and test the configuration in a controlled environment before deploying to production.


To address typing misconfigurations in AWS AppSync, ensure that your schema definitions match the expected types in your resolvers. Validate the schema with AWS AppSync's built-in tools before deployment. Additionally, implement unit tests for your resolvers to catch typing issues early in the development process. Use AWS CloudFormation or the AWS CLI to automate and roll back deployments in case of configuration errors.


Ensure proper validation and sanitization of user inputs to prevent injection attacks. Implement strict type checking and use parameterized queries or prepared statements to handle data passed to the GraphQL engine. Regularly review and update security configurations and dependencies to mitigate potential vulnerabilities.


Ensure that the GraphQL Ruby framework is properly configured to use prepared statements or parameterized queries to prevent potential injection attacks. Regularly review and update the configuration settings to maintain security as the application evolves.


Ensure that the Hasura GraphQL engine configuration is set correctly by reviewing the environment variables and settings in the config.yaml file. Verify that the database connection strings, API ports, and other critical settings are accurate and secure. Additionally, use role-based access control to restrict permissions and apply policies that enforce strong security practices. Regularly update the Hasura engine to the latest version to benefit from security patches and improvements.

REST Specific


Ensure strong typing in ASP.NET by using explicit data types and model binding. Validate all inputs against expected types and handle parsing errors gracefully to prevent type-related vulnerabilities.


In Ruby on Rails, ensure strong parameter validation by using the built-in require and permit methods to whitelist allowed parameters. Additionally, employ Active Record validations to enforce data types and constraints at the model level.


Ensure proper validation of input types and implement strict type checking in API endpoints to prevent typing misconfigurations in the Next.js application.


In Laravel, ensure that you are using Eloquent ORM or the query builder's parameter binding to prevent typing misconfigurations and SQL injection vulnerabilities. Avoid using raw queries with user input. Always validate and sanitize input data.


Ensure proper validation of input types and implement middleware such as express-validator to check for data types and patterns before processing requests.


In Django, ensure that all query parameters are properly escaped by using the ORM's built-in querysets or by employing parameterized queries with raw() or execute() methods. Avoid string formatting or concatenation to prevent SQL injection vulnerabilities.


In Symfony, ensure that you use the built-in form component with proper data types and validation rules to prevent typing misconfigurations. Additionally, leverage the ParamConverter feature for type-hinting and automatic validation of request parameters.


Ensure strong typing in Spring Boot by using DTOs (Data Transfer Objects) with proper validation annotations, and leverage Spring's built-in type conversion to prevent type-related misconfigurations. Additionally, use @Valid on controller method parameters to enforce validation rules.


Ensure proper type checking of user inputs and utilize Flask-WTF or similar extensions to validate form data. Implement custom validation logic if necessary to catch typing misconfigurations.


Ensure proper validation of input types and implement strict type checking before passing data to components or API endpoints in Nuxt.js applications to prevent typing misconfigurations.


In FastAPI, ensure that all endpoint parameters are explicitly typed and validated using Pydantic models or FastAPI's built-in validation. Use dependency injection to share common validation logic across endpoints.


Identifier: schema/typing_misconfiguration


  • skip_objects : List of object that are to be skipped by the security test.


Ignore this check

skip: true


  • Escape Severity: MEDIUM


  • OWASP: API10:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-4