GraphQL supports the aliasing of multiple sub-queries into a single query. It allows requesting multiple instances of objects efficiently and without conflicts. However, attackers can leverage this feature to bypass many security measures, including rate limiting.
Limit query aliasing in your GraphQL Engine to prevent aliasing-based attacks.
Install our open source package GraphQL Armor for Apollo.
graphene-django, it is possible to implement a custom GraphQL backend to limit query complexity, such as this one:
graphene-django query cost analysis / complexity limits.
Install our open source package GraphQL Armor for Yoga.
- threshold : Maximum aliases before raising an alert (-1 = infinite).
Ignore this check
- Escape Severity: LOW
- OWASP: API5:2023
- PCI DSS: 6.5.8
- WASC: WASC-10
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1