nuclei-templates/http/misconfiguration/graphql/graphql-array-batching.yaml

53 lines
1.7 KiB
YAML

id: graphql-array-batching
info:
name: GraphQL Array-based Batching
author: Dolev Farhi
severity: info
description: |
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
remediation: |
Deactivate or limit Batching in your GraphQL engine.
reference:
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://graphql.security/
metadata:
max-request: 2
tags: graphql,misconfig
http:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- ':"Query"'
- ':"Mutations"'
case-insensitive: true
condition: and
- type: word
part: header
words:
- "application/json"
# digest: 4b0a004830460221009352f5fb69d50c384b0609e39864120c5da438c4d4b50e5f7ff9e78e6a17fdbc02210093902ef377f0eca11245c1fd3095f3b29f51a9417d1a48f3a7e1df0ecb0d0185:922c64590222798bb761d5b6d8e72950