nuclei-templates/http/misconfiguration/graphql/graphql-array-batching.yaml

51 lines
1.5 KiB
YAML
Raw Normal View History

id: graphql-array-batching
2022-03-08 19:03:10 +00:00
info:
name: GraphQL Array-based Batching
author: Dolev Farhi
2022-07-26 05:15:05 +00:00
severity: info
description: |
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
reference:
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://graphql.security/
remediation: |
Deactivate or limit Batching in your GraphQL engine.
tags: graphql,misconfig
metadata:
max-request: 2
2022-03-08 19:03:10 +00:00
http:
2022-03-08 19:03:10 +00:00
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
2022-07-26 05:18:53 +00:00
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
2022-07-26 05:20:36 +00:00
stop-at-first-match: true
matchers-condition: and
2022-03-08 19:03:10 +00:00
matchers:
- type: word
2022-03-09 12:57:29 +00:00
part: body
2022-03-08 19:03:10 +00:00
words:
- ':"Query"'
- ':"Mutations"'
case-insensitive: true
condition: and
- type: word
part: header
words:
2022-07-26 05:15:05 +00:00
- "application/json"