Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for GraphQL Deep Recursion Query Attack

HawkScan Test Info for GraphQL Deep Recursion Query Attack

GraphQL Deep Recursion Query Attack

Reference

Plugin Id: 90053 | CWE: 400

Resource

Remediation

To protect against GraphQL deep recursion attacks, implement the following depth and complexity controls:

  1. Implement query depth limiting: Set maximum query depth limits to prevent deeply nested queries.

    Example (GraphQL Depth Limit):

    const depthLimit = require('graphql-depth-limit');
   
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(7)] // Maximum depth of 7
});

  2. Use query complexity analysis: Implement query complexity scoring to reject expensive queries before execution.

    Example (GraphQL Query Complexity):

    const { createComplexityLimitRule } = require('graphql-validation-complexity');
   
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [createComplexityLimitRule(1000)] // Max complexity of 1000
});

  3. Set execution timeouts: Configure query execution timeouts to prevent long-running operations.

    Example (GraphQL with timeout):

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  plugins: [
    {
      requestDidStart() {
        return {
          willSendResponse(requestContext) {
            // Set timeout for query execution
            requestContext.response.http.setTimeout(30000); // 30 seconds
          }
        };
      }
    }
  ]
});

  4. Monitor resource usage: Implement monitoring and alerting for high CPU/memory usage from GraphQL operations.

About

GraphQL deep recursion attacks exploit the flexible nature of GraphQL queries by creating deeply nested queries that consume excessive server resources. These attacks take advantage of relationships between GraphQL types to create queries with extreme nesting depth, potentially causing stack overflow errors, memory exhaustion, or CPU overload. The vulnerability occurs when GraphQL servers don’t implement proper depth limiting or query complexity analysis to prevent abusive query structures.

Risks

The risks associated with GraphQL deep recursion vulnerabilities include:

  • Resource exhaustion: Deeply nested queries can consume excessive CPU, memory, and database resources, leading to server performance degradation.
  • Denial of service: Malicious queries can cause server crashes, timeouts, or service unavailability for legitimate users.
  • Stack overflow: Extremely deep recursion can cause stack overflow errors, potentially crashing the application or GraphQL server process.
  • Database overload: Complex nested queries may generate expensive database operations, overwhelming database servers and affecting overall application performance.