update: more matchers + description + reference

misconfiguration/graphql/graphql-alias-based-batching.yaml

@@ -1,25 +0,0 @@
-id: graphql-alias-based-batching
-
-info:
-  name: GraphQL Alias-based Batching
-  author: Dolev Farhi
-  severity: low
-  description: GraphQL allows batching multiple queries using Aliases
-  reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
-  tags: graphql
-
-requests:
-  - raw:
-      - |
-        POST /graphql HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/json
-
-        {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
-
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "nuclei6"
-        case-insensitive: true

misconfiguration/graphql/graphql-alias-batching.yaml

@@ -0,0 +1,41 @@
+id: graphql-alias-batching
+
+info:
+  name: GraphQL Alias-based Batching
+  author: Dolev Farhi
+  severity: low
+  description: |
+    GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
+    However, an attacker can leverage this feature to evade many security measures, including rate limit.
+  reference:
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security/
+    - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+  remediation: |
+    Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"data":'
+          - '"nuclei1":'
+          - '"nuclei6":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-array-batching.yaml

@@ -1,11 +1,18 @@
-id: graphql-array-based-batching
+id: graphql-array-batching
 
 info:
   name: GraphQL Array-based Batching
   author: Dolev Farhi
   severity: low
-  description: GraphQL Allows Batching Requests using Arrays
-  reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+  description: |
+    Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
+    However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
+  reference:
+    - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://graphql.security/
+  remediation: |
+    Deactivate or limit Batching in your GraphQL engine.
   tags: graphql
 
 requests:
@@ -17,10 +24,17 @@ requests:
 
         [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
 
+    matchers-condition: and
     matchers:
       - type: word
         part: body
         words:
-          - "Query"
-          - "Mutations"
-        case-insensitive: true
+          - ':"Query"'
+          - ':"Mutations"'
+        case-insensitive: true
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-field-suggestion.yaml

@@ -0,0 +1,37 @@
+id: graphql-field-suggestion
+
+info:
+  name: GraphQL Field Suggestion Information Disclosure
+  author: Dolev Farhi
+  severity: info
+  description: |
+    If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
+    By default, GraphQL backends have a feature for fields and operations suggestions.
+    If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
+  reference:
+    - https://github.com/webonyx/graphql-php/issues/454
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Did you mean"
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-field-suggestions.yaml

@@ -1,24 +0,0 @@
-id: graphql-field-suggestions
-
-info:
-  name: GraphQL Field Suggestion Enabled
-  author: Dolev Farhi
-  severity: low
-  description: GraphQL Allows Enumeration of Schema through Field Suggestions
-  reference: https://github.com/webonyx/graphql-php/issues/454
-  tags: graphql
-
-requests:
-  - raw:
-      - |
-        POST /graphql HTTP/1.1
-        Host: {{Hostname}}
-        Content-Type: application/json
-
-        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}
-
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "Did you mean"

misconfiguration/graphql/graphql-get-method-support.yaml

@@ -1,21 +0,0 @@
-id: graphql-get-method-support
-
-info:
-  name: GraphQL Allows GET method
-  author: Dolev Farhi
-  severity: low
-  description: GraphQL Allows querying using the GET method
-  reference: https://graphql.org/learn/serving-over-http/#get-request
-  tags: graphql
-
-requests:
-  - method: GET
-    path:
-      - "{{BaseURL}}/graphql?query={__typename}"
-
-    matchers:
-      - type: word
-        part: body
-        words:
-          - "Query"
-        case-insensitive: true

misconfiguration/graphql/graphql-get-method.yaml

@@ -0,0 +1,36 @@
+id: graphql-get-method
+
+info:
+  name: GraphQL CSRF / GET method
+  author: Dolev Farhi
+  severity: info
+  description: |
+    Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
+    Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
+  reference:
+    - https://graphql.org/learn/serving-over-http/#get-request
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security/
+  tags: graphql
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/graphql?query={__typename}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"query"'
+          - '"data"'
+          - '"__typename"'
+        case-insensitive: true
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"