nuclei-templates/misconfiguration/graphql/graphql-array-batching.yaml

id: graphql-array-batching

info:
  name: GraphQL Array-based Batching
  author: Dolev Farhi
  severity: info
  description: |
    Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
    However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
  reference:
    - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
    - https://graphql.security/
  remediation: |
    Deactivate or limit Batching in your GraphQL engine.
  tags: graphql

requests:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]

      - |
        POST /api/graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ':"Query"'
          - ':"Mutations"'
        case-insensitive: true
        condition: and

      - type: word
        part: header
        words:
          - "application/json"
update: more matchers + description + reference 2022-03-15 13:13:35 +00:00			`id: graphql-array-batching`
GraphQL Templates 2022-03-08 19:03:10 +00:00
			`info:`
			`name: GraphQL Array-based Batching`
			`author: Dolev Farhi`
Update graphql-array-batching.yaml 2022-07-26 05:15:05 +00:00			`severity: info`
update: more matchers + description + reference 2022-03-15 13:13:35 +00:00			`description: \|`
			`Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.`
			`However, an attacker can leverage this feature to evade many security measures, including Rate Limit.`
			`reference:`
			`- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin`
			`- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application`
			`- https://graphql.security/`
			`remediation: \|`
			`Deactivate or limit Batching in your GraphQL engine.`
GraphQL Templates 2022-03-08 19:03:10 +00:00			`tags: graphql`

			`requests:`
			`- raw:`
			`- \|`
			`POST /graphql HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]`

Update graphql-array-batching.yaml 2022-07-26 05:18:53 +00:00			`- \|`
			`POST /api/graphql HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]`

Update graphql-array-batching.yaml 2022-07-26 05:20:36 +00:00			`stop-at-first-match: true`
update: more matchers + description + reference 2022-03-15 13:13:35 +00:00			`matchers-condition: and`
GraphQL Templates 2022-03-08 19:03:10 +00:00			`matchers:`
			`- type: word`
moving templates around 2022-03-09 12:57:29 +00:00			`part: body`
GraphQL Templates 2022-03-08 19:03:10 +00:00			`words:`
update: more matchers + description + reference 2022-03-15 13:13:35 +00:00			`- ':"Query"'`
			`- ':"Mutations"'`
			`case-insensitive: true`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
Update graphql-array-batching.yaml 2022-07-26 05:15:05 +00:00			`- "application/json"`