AppSync GraphQL API query depth limit not set

aws-appsync-query-depth-limit-not-set

Type:

CSPM

Rule Severity:

High

The AppSync GraphQL API has a query depth limit of 0.

Without a query depth limit, the AppSync API is more susceptible to resource exhaustion from deeply nested queries. This could result in excessive memory and CPU consumption, negatively impacting the API’s performance and availability. As the API processes deeply nested queries, it could slow down or become unresponsive, affecting user experience and potentially disrupting critical services.

Remediation

Set a query depth limit on the AppSync GraphQL API. This would restrict how many levels of nesting a query can have, helping to mitigate potential abuse through deep and resource-draining queries.

Example Attack Scenario

An attacker notices that the AppSync GraphQL API does not have a query depth limit and decides to exploit this by sending a deeply nested query. The query retrieves a list of users and for each user, retrieves their posts, then for each post, retrieves its comments, and for each comment, retrieves the list of likes, each like having its associated user.

Without a query depth limit, the server is forced to process each level of nested data. The request could have hundreds or thousands of nested likes, comments, and posts depending on how many users are in the system. This causes the backend to use more CPU, memory, and network bandwidth than it can handle.

Impact:

  • Resource Exhaustion: The server exhausts memory and CPU by processing these deeply nested queries, causing a significant delay in response times or even complete unresponsiveness.
  • Denial-of-Service (DoS): Legitimate users of the API experience timeouts, slow responses, or failures due to the server being overwhelmed by the attacker’s complex query.
  • Performance Degradation: The system becomes slow and unstable, impacting the overall user experience.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Authentication removed
Malicious activity found in logs
AppSync GraphQL API resolver count limit not set
Response violates schema
Plaintext API key
Missing required headers