Alias overloading

firetail:graphql-alias-overloading

Type:

Observation

Rule Severity:

High

The GraphQL endpoint allows excessive alias overloading, permitting more than 100 aliases in a single query.

This behavior can lead to performance degradation, increased resource consumption, and potential denial-of-service (DoS) attacks. Without proper limits, malicious users can exploit this feature to overload the backend system, affecting its availability and performance.

Remediation

Implement a limit on the maximum number of aliases allowed in GraphQL queries. Update the GraphQL server configuration to enforce reasonable thresholds for alias usage.

Example Attack Scenario

An attacker submits a query with over 100 aliases, each alias causing the server to process the same data multiple times. This can lead to a significant increase in resource consumption, overwhelming the server. If the server does not limit the number of aliases, it may experience performance degradation, slower responses, or even fail, resulting in a denial-of-service (DoS) attack.

How to Identify with Example Scenario

How to Resolve with Example Scenario

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
AWS ALB listeners should be configured with HTTPS or TLS termination
Array-based query batching
Missing content-type header
Missing global security
AppSync logging is not enabled
SendGrid secrets found in logs