Kingdom: Input Validation and Representation

Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.

Denial of Service: GraphQL

Universal

Abstract

An attacker can trigger excessive CPU and memory usage by crafting expensive nested GraphQL queries to cause Denial of Service (DoS).

Explanation

The GraphQL query language for APIs provides a runtime to query existing data. GraphQL schema is a model consisting of data objects their fields and types, and their relationships to other data objects. References between different data objects might create a cycle. An attacker can trigger excessive CPU and memory usage by crafting a malicious nested and expensive cyclic query to cause a Denial of Service (DoS).

For example, consider this GraphQL schema snippet:


…
type User {
  id: ID!
  name: String
  profile: Profile
}
type Profile {
  id: ID!
  bio: String
  user: User
  preferences: Preferences
}
type Preferences {
  id: ID!
  theme: String
  user: User
}
…

In this example, User references Profile, Profile references Preferences, and Preferences references back to User creating a cycle.
A sample query to create a cycle:


query {
  user(id:1) {
    id
    name
    profile {
      id
      bio
      preferences {
        id
        theme
        user {
          name
        }        
      }
    }
  }
}

References

[1] GraphQL Specification

[2] Securing Your GraphQL API from Malicious Queries | Apollo GraphQL Blog

[3] Standards Mapping - Common Weakness Enumeration CWE ID 770

[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation

[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.4 Business Logic Security Requirements (L1 L2 L3), 13.4.1 GraphQL Requirements (L2 L3)

[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II

[36] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[37] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.dynamic.xtended_preview.denial_of_service_graphql