Cyclic query
Description
GraphQL allows developers to nest queries and objects. Attackers can abuse this feature by calling a deeply nested query similar to a recursive function and causing a Denial of Service by exhausting CPU, memory, or other resources.
Remediation
Although the ability to fetch a cyclic query is necessary for some GraphQL application, it is best to always implement security measures to control these cyclic queries:
- Set query timeouts: restrict the time a query is allowed to run.
- Set a maximum query depth: limit the tolerated depth of queries in order to prevent overly deep queries from abusing resources.
- Set a maximum query complexity: limit the complexity of queries to mitigate the abuse of GraphQL resources.
- Use server-time-based throttling: limit the amount of server time a user can consume.
- Use query-complexity-based throttling: limit the total complexity of queries a user can consume.
GraphQL Specific
Apollo
To mitigate potential risks associated with the Apollo framework engine, ensure that all data inputs are properly sanitized and validated. Utilize built-in security features and follow best practices for authentication and authorization. Regularly update the Apollo libraries to their latest versions to benefit from security patches and improvements. Additionally, consider implementing security tools and services that can provide extra layers of protection for your application.
Yoga
To address vulnerabilities within the Yoga framework engine, it is recommended to regularly update the framework to the latest version, as updates often include security patches for known issues. Additionally, ensure that all data inputs are properly sanitized to prevent injection attacks, and implement strong access controls to restrict unauthorized access to sensitive components. Regular security audits and code reviews can also help identify and remediate potential security weaknesses in the application.
Awsappsync
To ensure the security and performance of your AWS AppSync GraphQL APIs, it is recommended to use parameterized queries to prevent injection attacks and to optimize query execution. Avoid using inline arguments within the queries. Instead, define variables outside of your query and pass them as separate parameters. This approach allows AWS AppSync to prepare the execution plan once and execute it multiple times with different variables, reducing the risk of injection attacks and improving performance.
Graphqlgo
To mitigate potential security risks in a GraphQL Go framework engine, it is recommended to use parameterized queries to prevent injection attacks. Additionally, implement proper validation and sanitization of user inputs, enforce strict type checking, and use query depth limiting to avoid denial-of-service attacks caused by overly complex queries. Regularly update dependencies to incorporate security patches.
Graphqlruby
In the GraphQL Ruby framework, ensure that all queries are properly sanitized and parameterized to prevent injection attacks. Use the built-in mechanisms for argument handling and avoid interpolating variables directly into query strings. Always validate and sanitize input from users, and consider using the graphql-ruby's authorization features to control access to sensitive data. Regularly update the framework and dependencies to incorporate security fixes.
Hasura
To mitigate the risk of SQL injection and ensure the security of your Hasura GraphQL engine, it is crucial to avoid using raw SQL queries with user-provided input. Instead, utilize Hasura's built-in parameterized queries feature. This allows you to define variables in your GraphQL queries, which Hasura will safely interpolate, preventing malicious actors from injecting arbitrary SQL code. Always validate and sanitize user inputs on the server side, even when using GraphQL variables, to further enhance the security of your application.
Configuration
Identifier:
resource_limitation/cyclic_query
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
resource_limitation/cyclic_query:
skip: true
Score
- Escape Severity: LOW
Compliance
OWASP: API7:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC6
psd2: Article-97
iso27001: A.14.2
nist: SP800-53
fedramp: AC-4
Classification
- CWE: 400
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1