From 753a826bed466d5b425e0271951798eec357d259 Mon Sep 17 00:00:00 2001 From: zapbot <12745184+zapbot@users.noreply.github.com> Date: Tue, 3 Feb 2026 09:51:22 +0000 Subject: [PATCH] Update alert pages Signed-off-by: zapbot <12745184+zapbot@users.noreply.github.com> --- site/content/docs/alerts/50007-1.md | 2 +- site/content/docs/alerts/50007-2.md | 2 +- site/content/docs/alerts/50007-3.md | 25 +++++++++++++++++++++++++ site/content/docs/alerts/50007.md | 3 +++ site/data/alerttags.yml | 6 ++++++ 5 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 site/content/docs/alerts/50007-3.md diff --git a/site/content/docs/alerts/50007-1.md b/site/content/docs/alerts/50007-1.md index e59048b6e..4efe9fff7 100644 --- a/site/content/docs/alerts/50007-1.md +++ b/site/content/docs/alerts/50007-1.md @@ -3,7 +3,7 @@ title: "GraphQL Endpoint Supports Introspection" alertid: 50007-1 alertindex: 5000701 alerttype: "Tool" -alertcount: 2 +alertcount: 3 status: alpha type: alert risk: Informational diff --git a/site/content/docs/alerts/50007-2.md b/site/content/docs/alerts/50007-2.md index 58ef35acc..9bcca9e4f 100644 --- a/site/content/docs/alerts/50007-2.md +++ b/site/content/docs/alerts/50007-2.md @@ -3,7 +3,7 @@ title: "GraphQL Server Implementation Identified" alertid: 50007-2 alertindex: 5000702 alerttype: "Tool" -alertcount: 2 +alertcount: 3 status: alpha type: alert risk: Informational diff --git a/site/content/docs/alerts/50007-3.md b/site/content/docs/alerts/50007-3.md new file mode 100644 index 000000000..7b6501588 --- /dev/null +++ b/site/content/docs/alerts/50007-3.md @@ -0,0 +1,25 @@ +--- +title: "GraphQL Circular Type Reference" +alertid: 50007-3 +alertindex: 5000703 +alerttype: "Tool" +alertcount: 3 +status: alpha +type: alert +risk: Informational +solution: "Consider restructuring the schema to avoid circular references. Use IDs or foreign keys instead of direct object references. Enforce query depth limits and use pagination to control deep nested queries." +references: + - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html#dos-prevention +other: "Query -> (Organization -> Repository -> PullRequest -> Commit -> Organization)" +cwe: 16 +wasc: 15 +alerttags: + - CWE-16 + - OWASP_2021_A04 + - OWASP_2023_API4 + - WSTG-v42-APIT-01 +code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/ExtensionGraphQl.java +linktext: "org/zaproxy/addon/graphql/ExtensionGraphQl.java" +help: https://www.zaproxy.org/docs/desktop/addons/graphql-support/alerts/#id-50007 +--- +A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions. diff --git a/site/content/docs/alerts/50007.md b/site/content/docs/alerts/50007.md index 3da63acdd..651d63a72 100644 --- a/site/content/docs/alerts/50007.md +++ b/site/content/docs/alerts/50007.md @@ -12,6 +12,9 @@ alerts: 50007-2: alertid: 50007-2 name: "GraphQL Server Implementation Identified" + 50007-3: + alertid: 50007-3 + name: "GraphQL Circular Type Reference" code: https://github.com/zaproxy/zap-extensions/blob/main/addOns/graphql/src/main/java/org/zaproxy/addon/graphql/ExtensionGraphQl.java linktext: "org/zaproxy/addon/graphql/ExtensionGraphQl.java" --- diff --git a/site/data/alerttags.yml b/site/data/alerttags.yml index 450747596..6d6ef4fd0 100644 --- a/site/data/alerttags.yml +++ b/site/data/alerttags.yml @@ -319,6 +319,9 @@ OWASP_2021_A08: OWASP_2021_A10: link: https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ +OWASP_2023_API4: + link: https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/ + PCI_DSS: link: https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance @@ -355,6 +358,9 @@ SYSTEMIC: TEST_TIMING: link: +WSTG-v42-APIT-01: + link: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL + WSTG-v42-ATHN-01: link: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/04-Authentication_Testing/01-Testing_for_Credentials_Transported_over_an_Encrypted_Channel