Security timeout

Description

Requests that take a long time to process can be used by attackers to create Denial-of-Service (DoS) situations.

This security test is based on an arbitrary timeout threshold that might not match your application's requirements. To learn how to change it, head over to the configuration section below.

Example: Querying getAllUsers(){ contacts { contacts }} returns a response after 15s.

Remediation

Implement a server timeout. For example, a server configured with a 5 seconds timeout would stop the execution of any query that takes over 5 seconds. Pros: - Simple to implement. - Most security strategies use a timeout as a final layer of protection. Cons: - Damage can already have been done before the timeout kicks in. - Can trigger other issues. Stoping connection after a certain time may result in strange behaviors and corrupt data. Warning : When a timeout is configured on the server, the socket may be closed while the underlying request continues. Make sure that the request is actually canceled.

GraphQL Specific

Apollo

To mitigate security risks associated with the Apollo framework engine, ensure that all user inputs are validated and sanitized before processing. Implement proper authentication and authorization checks to prevent unauthorized access. Regularly update the Apollo framework and its dependencies to patch known vulnerabilities. Additionally, consider setting up a security timeout feature that automatically logs out users after a period of inactivity to reduce the risk of session hijacking.

Yoga

To address the security timeout issue within the Yoga framework engine, ensure that session timeout values are appropriately configured to balance usability with security. Implement automatic session expiration after a defined period of inactivity, and prompt users to re-authenticate to continue their session. This helps to mitigate the risk of unauthorized access from unattended user sessions.

Awsappsync

To enhance security within the AWS AppSync framework, it is recommended to implement a security timeout feature. This can be achieved by setting appropriate timeout values for resolvers to prevent excessively long-running operations that could potentially expose the system to denial-of-service attacks or unintended resource consumption. Configure the 'timeoutInMillis' field for each resolver to a sensible value that balances performance and security, ensuring that operations complete within an acceptable timeframe without compromising the system's stability or user experience.

Graphqlgo

Implement a security timeout mechanism in the GraphQL Go framework engine to automatically terminate sessions that exceed a predefined period of inactivity. This helps to reduce the risk of unauthorized access from unattended sessions. Configure the timeout duration based on the sensitivity of the application's data and operations. Ensure that the timeout settings are enforced consistently across the application and that users are informed about the timeout policy to prevent data loss due to unexpected session termination.

Graphqlruby

Implement query complexity analysis to prevent resource exhaustion attacks. Define a complexity budget and use the max_complexity setting in GraphQL-Ruby to enforce it. This will help to mitigate potential denial-of-service attacks by ensuring that overly complex queries cannot be executed.

Hasura

Implement a security timeout mechanism in the Hasura framework engine to automatically terminate sessions after a period of inactivity. This reduces the risk of unauthorized access from unattended sessions. Configure the 'HASURA_GRAPHQL_JWT_SECRET' environment variable with an appropriate 'claims_namespace' and 'claims_format' to include custom claims for session timeout. Use these claims to enforce session expiration on the client-side, and ensure that the Hasura engine validates the expiration claim to prevent the use of expired tokens.

REST Specific

Asp_net

Implement request timeout limits and optimize long-running processes within the ASP.NET application to prevent potential DoS attacks.

Ruby_on_rails

Implement request timeout settings in your Ruby on Rails application to prevent long-running requests from causing a Denial-of-Service (DoS). Configure Rack::Timeout or a similar middleware to define a maximum time a request can take, and ensure that your web server (e.g., Puma, Unicorn) has appropriate timeout settings as well.

Next_js

Implement server-side request timeout limits and use efficient data retrieval methods to prevent long-running queries that could lead to DoS attacks.

Laravel

Implement request throttling and set a maximum execution time for queries in Laravel by using middleware to prevent long-running requests that could lead to DoS attacks.

Express_js

Implement rate limiting and set up a maximum request timeout in your Express.js application to prevent long-running requests from causing DoS. Use middleware like express-rate-limit for rate limiting and set the timeout property on the server to define a maximum request processing time.

Django

Implement request timeouts and limit the number of concurrent connections in your Django application to mitigate potential DoS attacks. Use Django's built-in features to set a reasonable timeout value for database operations and consider using a reverse proxy like Nginx to manage timeouts for client connections.

Symfony

Implement a request timeout mechanism in Symfony by configuring the 'max_execution_time' in your 'php.ini' file or by using the 'set_time_limit()' function in your PHP scripts to prevent long-running requests. Additionally, consider using Symfony's 'RequestStack' and 'KernelEvents' to create custom event listeners that can track request duration and terminate requests that exceed a predefined threshold.

Spring_boot

Implement a global timeout configuration for all requests in Spring Boot by using the spring.mvc.async.request-timeout property in application.properties or application.yml. Additionally, consider using @Async annotation with a custom Executor that has a timeout policy to handle long-running tasks without blocking the main thread.

Flask

Implement request timeout handling in Flask by using the timeout decorator from Flask-Timeout or setting up a custom timeout mechanism to ensure long-running requests are terminated, preventing potential DoS attacks.

Nuxt

Implement server-side request timeout settings and client-side timeout warnings to prevent long-running requests from causing DoS. In Nuxt.js, configure the server middleware to manage request processing time and set timeouts appropriately.

Fastapi

Implement request timeout handling in FastAPI by using dependencies to create a timer that will cancel long-running requests. Adjust the timeout threshold based on your application's performance profile to prevent potential DoS attacks.

Configuration

Identifier: resource_limitation/timeout

Options

• threshold_low : Duration of a request (in seconds) before raising a low level alert
• threshold_medium : Duration of a request (in seconds) before raising a low level alert
• threshold_high : Duration of a request (in seconds) before raising a low level alert

Examples

Ignore this check

checks:
  resource_limitation/timeout:
    skip: true

Score

• Escape Severity: HIGH

Compliance

• OWASP: API7:2023

• pci: 6.5.10

• gdpr: Article-32

• soc2: CC1

• psd2: Article-95

• iso27001: A.14.2

• nist: SP800-53

• fedramp: AC-4

Classification

• CWE: 400

Score

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
• CVSS_SCORE: 7.2

References

• https://medium.com/workflowgen/graphql-query-timeout-and-complexity-management-fab4d7315d8d