nuclei-templates/http/misconfiguration/graphql/graphql-alias-batching.yaml

52 lines
1.7 KiB
YAML

id: graphql-alias-batching
info:
name: GraphQL Alias-based Batching
author: Dolev Farhi
severity: info
description: |
GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including rate limit.
reference:
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security/
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
remediation: |
Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
tags: graphql,misconfig
metadata:
max-request: 2
http:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
- |
POST /api/graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"data":'
- '"nuclei1":'
- '"nuclei6":'
condition: and
- type: word
part: header
words:
- "application/json"