Skip to content

Directive Overloading in GraphQL API

Directive Overloading in GraphQL API

Description

Directive Overloading in GraphQL occurs when an attacker leverages a large number of directives in a query to overwhelm the server's processing capabilities.

Directives in GraphQL are used to modify the behavior of queries, but excessive use can lead to Denial of Service (DoS) attacks by exhausting server resources. This kind of attack can cause performance degradation or complete service outages.

Example:

query oxo {
  __typename @aa @aa @aa @aa @aa @aa @aa @aa @aa @aa
}

The security impact of Directive Overloading can lead to the following issues:

  • Denial of Service: By sending an excessive number of directives in a single query, attackers can overwhelm the server, causing legitimate users to experience slow responses or service outages.
  • Resource Exhaustion: Servers may use significant computational resources to parse and validate the directives, which can result in memory exhaustion or CPU spikes.
  • System Unavailability: If left unchecked, a Directive Overloading attack could make the GraphQL service unavailable for all users.

Recommendation

To mitigate the risk of Directive Overloading attacks, you can take the following steps:

  • Implement timeouts: Implementing timeouts to kill queries that take too long to resolve can be highly effective. By setting a maximum execution time, you can automatically terminate queries that exceed this limit, preventing them from consuming excessive server resources.

  • Limit Directives: Implement server-side limits on the number of directives allowed in a single GraphQL query. You can configure tools like GraphQL Armor to limit directives and prevent overloading.

// Configuring for GraphQL Armor
GraphQLArmorConfig({
  maxDirectives: {
    // Toggle the plugin | default: true
    enabled?: boolean,

    // Directives threshold | default: 50
    n?: int,

    // Callbacks that are ran whenever a Query is accepted
    onAccept?: GraphQLArmorAcceptCallback[],

    // Callbacks that are ran whenever a Query is rejected
    onReject?: GraphQLArmorRejectCallback[],

    // Do you want to propagate the rejection to the client? | default: true
    propagateOnRejection?: boolean,
  }
})

import graphql
from graphql.language import ast
from graphql.language import parser
from settings import api

def validate_directives(query: str) -> None:
    """
    This validation prevents the execution of queries containing an excessive
    amount of directives to prevent abuse.
    """

    class DirectivesParser(parser.Parser):
        def parse_directives(self, is_const: bool) -> list[ast.DirectiveNode]:
            directives = 0
            while self.peek(graphql.TokenKind.AT):
                directives += 1
                if directives > api.API_MAX_DIRECTIVES:
                    raise graphql.GraphQLError("Exception - Max directives exceeded")
                self.parse_directive(is_const)
            return []

    ast_parser = DirectivesParser(query)
    ast_parser.parse_document()

Standards

  • CWE_TOP_25:
    • CWE_400
  • PCI_STANDARDS:
    • REQ_6_2
    • REQ_6_4
    • REQ_11_3
  • OWASP_MASVS_L2:
    • MSTG_PLATFORM_2
  • OWASP_ASVS_L3:
    • V13_4_1
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5
    • CC_9_1