id: graphql-alias-batching info: name: GraphQL Alias-based Batching author: Dolev Farhi severity: info description: | GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently. However, an attacker can leverage this feature to evade many security measures, including rate limit. reference: - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html - https://graphql.security/ - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin remediation: | Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks. tags: graphql requests: - raw: - | POST /graphql HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"} - | POST /api/graphql HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"} stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '"data":' - '"nuclei1":' - '"nuclei6":' condition: and - type: word part: header words: - "application/json"