Skip to main content

Security timeout

Description

Requests that take a long time to process can be used by attackers to create Denial-of-Service (DoS) situations.

This security test is based on an arbitrary timeout threshold that might not match your application's requirements. To learn how to change it, head over to the configuration section below.

Example: Querying getAllUsers(){ contacts { contacts }} returns a response after 15s.

Remediation

Implement a server timeout. For example, a server configured with a 5 seconds timeout would stop the execution of any query that takes over 5 seconds.

Pros:

  • Simple to implement.
  • Most security strategies use a timeout as a final layer of protection.

Cons:

  • Damage can already have been done before the timeout kicks in.
  • Can trigger other issues. Stoping connection after a certain time may result in strange behaviors and corrupt data.

Warning : When a timeout is configured on the server, the socket may be closed while the underlying request continues. Make sure that the request is actually canceled.

GraphQL Specific

Awsappsync

AWS AppSync enforces a timeout of 30s on each request by default.

If your API sits behind an API Gateway, you can configure a different (but lower than the hard 30s limit) timeout in the AWS API Gateway console by following this path:

AWS API Gateway console > {Your App} > Resources > Integration Request > "Use default timeout".

Hasura

Hasura allows you to set a custom query timeout.

To do so:

  • Go to Project Console > Security Settings > API Limits.
  • Click on "Global".
  • Set a timeout (e.g., 10s).
Stepzen

There is no known remediation for StepZen.

Graphqlgo

Implement a server timeout by following this guide:

The complete guide to Go net/http timeouts - Cloudfare blog

Configuration

Identifier: resource_limitation/timeout

Options

  • threshold_low : Duration of a request (in seconds) before raising a low level alert
    • threshold_medium : Duration of a request (in seconds) before raising a low level alert
    • threshold_high : Duration of a request (in seconds) before raising a low level alert

Examples

Ignore this check

{
    "checks": {
        "resource_limitation/timeout": {
            "skip": true
        }
    }
}

Score

  • Escape Severity: HIGH
    • OWASP: API7:2023
    • PCI DSS: 6.5.8
    • CWE
      • 400
      • 557
      • 664
      • 770
      • 1060
      • 1088
      • 1226
    • WASC: WASC-10

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
  • CVSS_SCORE: 7.2

References