Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability - Vulnerability Database

GraphQL Alias Overloading Allowed: Potential Denial of Service Vulnerability

Description

The GraphQL API accepts queries with an excessive number of aliases (100+) in a single request. GraphQL aliases enable clients to execute the same query multiple times within one request by assigning unique names to each instance. While this feature supports legitimate batching scenarios, unrestricted alias usage creates an attack vector for resource exhaustion, as each alias generates a separate query execution that consumes server resources.

Remediation

Implement Alias Limits: Configure your GraphQL server to reject queries exceeding a reasonable alias count (typically 5-15 aliases per request). Most GraphQL implementations provide built-in validation rules or middleware options for this purpose.

Example implementation using graphql-js:

const { createComplexityLimitRule } = require('graphql-validation-complexity');

const schema = new GraphQLSchema({
  validationRules: [
    createComplexityLimitRule(1000, {
      onCost: (cost) => console.log('Query cost:', cost),
      formatErrorMessage: (cost) => `Query too complex: ${cost}`
    })
  ]
});

Apply Query Depth and Complexity Limits: In addition to alias restrictions, implement query depth limiting (maximum nesting levels) and complexity scoring to prevent other resource exhaustion attacks.

Implement Rate Limiting: Deploy rate limiting at both the API gateway and application levels to restrict the number of requests per client IP or API key within a defined time window (e.g., 100 requests per minute). Consider using exponential backoff for repeated violations.

Monitor and Alert: Establish monitoring for query patterns, execution times, and resource consumption to detect and respond to potential DoS attempts in real-time.

References

GraphQL Aliases

Related Vulnerabilities

GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability Medium
Common tags: Configuration Denial Of Service API DoS
GraphQL Circular-Query via Introspection Allowed: Potential DoS Vulnerability Medium
Common tags: Configuration Denial Of Service API DoS
Node.js Web Application does not handle uncaughtException Medium
Common tags: Configuration Denial Of Service
Web Cache Poisoning DoS (for javascript) Medium
Common tags: Configuration Denial Of Service
Apache Tomcat version older than 6.0.36 High
Common tags: Configuration Denial Of Service

Severity

Medium

Classification

CWE-400
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Tags

Configuration
Denial Of Service
API DoS