Skip to main content

Large JSON input

Description

Inputting a very large sized JSON as an argument.

Remediation

Limit the maximum size of a JSON that can be inputted.

GraphQL Specific

Apollo

To address large JSON input issues in the Apollo framework, ensure that you implement input validation to reject payloads that exceed the expected size. Additionally, consider using streaming JSON parsers to handle large inputs more efficiently and avoid memory overload. Set up rate limiting and depth limiting to protect against abusive requests and maintain server performance.

Yoga

To handle large JSON input in the Yoga framework engine, consider implementing streaming JSON parsers to process the data in chunks, thereby reducing memory overhead. Additionally, ensure that the server has sufficient resources to handle the expected load and optimize the JSON parsing logic for performance.

Awsappsync

To address large JSON input issues in AWS AppSync, consider implementing pagination to break down the data into smaller chunks, compressing the JSON payload if the service allows, or increasing the payload size limits within the service configuration if possible. Additionally, optimize the resolver logic to handle large inputs more efficiently and ensure that the underlying data sources can process large requests effectively.

Graphqlgo

To mitigate the risk of inefficient processing or potential denial of service attacks when handling large JSON inputs in a GraphQL Go framework, it is recommended to implement input validation to restrict the size and structure of the incoming JSON requests. Additionally, consider using query complexity analysis to prevent overly complex queries from overloading the system. Employing rate limiting and timeouts can also help in managing the load on the server. Ensure that the parsing of JSON is done securely to avoid injection attacks. Regularly monitor and log the performance to identify and address any issues proactively.

Graphqlruby

To mitigate the risk of large JSON input attacks in the GraphQL Ruby framework, implement input validation to restrict the size and structure of the incoming JSON payloads. Additionally, consider using query complexity analysis to prevent overly complex queries from consuming excessive resources.

Hasura

To mitigate the risk of large JSON input vulnerabilities in Hasura, ensure that you implement strict input validation, enforce payload size limits, and utilize depth and complexity limits for queries. Additionally, consider using rate limiting to prevent abuse.

Configuration

Identifier: resource_limitation/large_json_input

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  resource_limitation/large_json_input:
    skip: true

Score

  • Escape Severity: MEDIUM

Compliance

  • OWASP: API4:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-94

  • iso27001: A.14.2

  • nist: SP800-95

  • fedramp: SI-10

Classification

  • CWE: 20

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References