# GraphQL Alias Overloading

{% hint style="danger" %}
**At a Glance**:  **GraphQL Alias Overloading** occurs when an attacker abuses the alias feature in GraphQL queries to execute the same query multiple times within a single request by assigning different names to each. While aliases are designed for legitimate use cases, overloading them can lead to Denial of Service (DoS) attacks by overwhelming the server with redundant operations. To prevent this, implement query complexity limiting, depth limiting, and proper validation to ensure that only safe and efficient queries are processed
{% endhint %}

***

## Introduction

GraphQL Alias Overloading is a security vulnerability that arises when a client exploits the aliasing feature in GraphQL to execute the same query multiple times in a single request. By assigning different aliases to the same field or operation, an attacker can force the server to perform excessive processing, leading to high CPU and memory usage. This can ultimately result in a Denial of Service (DoS) attack, where legitimate users are denied access due to server overload.

For example, an attacker might send a query like:

```graphql
{
  user1: user(id: "123") { name }
  user2: user(id: "123") { name }
  user3: user(id: "123") { name }
  // ...repeated hundreds of times
}
```

In this scenario, the server processes the same `user` query multiple times under different aliases, consuming significant resources.

## What are the common mistakes made by developers?

1. **No Query Complexity Limitation**: Developers may fail to implement limits on query depth or complexity, allowing excessively nested or large queries to be processed.
2. **Unlimited Alias Usage**: Not restricting the number of aliases in a single query enables attackers to overload the server with redundant operations.
3. **Lack of Rate Limiting**: Without rate limiting, attackers can send numerous requests in a short time frame, exacerbating the impact of alias overloading.

## How can I fix GraphQL Introspection issues?

1. Restrict Alias Usage: Set limitations on the number of aliases permitted in a single request to minimize the potential for Denial of Service (DoS) attacks.
2. Enforce Rate Limiting: Implement controls to cap the number of requests a client can make within a certain time frame, thereby reducing the likelihood and impact of DoS attacks.

By implementing these measures, you can protect your GraphQL API from alias overloading attacks, ensuring it remains robust and reliable for legitimate users.

* ## Test cases in this category

This test case detect if GraphQL introspection is enabled:

<table><thead><tr><th>Test case</th><th width="251.33333333333331">OWASP</th><th>CWE</th><th data-hidden></th></tr></thead><tbody><tr><td>[GQL002] GraphQL Alias Overloading</td><td><a href="https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/">API8 OWASP API Top 10</a></td><td><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></td><td></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pynt.io/documentation/api-security-testing/pynt-security-tests-coverage/graphql-alias-overloading.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.