🧠 GraphQL

What is it?

• Concept: GraphQL is an open-source data query and manipulation language for APIs. Unlike REST, which relies on multiple rigid URL endpoints (e.g., /users/1, /posts/5), GraphQL exposes a single endpoint (usually /graphql). The client sends a specific query, and the server responds with exactly the data requested—nothing more, nothing less.

• Impact: Misconfigurations commonly lead to Severe Information Disclosure, Denial of Service (DoS), Authentication/Rate-Limit Evasion, and IDOR (Insecure Direct Object Reference).

How it works

1. The Schema: The developer defines a strict schema detailing all the types of data, relationships, and operations (Queries for reading, Mutations for writing) the API supports.
2. The Request: The client sends an HTTP POST request (sometimes GET) to the single endpoint with a JSON body containing the desired structure.
3. The Resolvers: The GraphQL engine parses the query and invokes specific backend functions called “resolvers” to fetch the exact fields requested from the database.

Security Quirks & Niche Facts

• The “Single HTTP Request” Rate Limit Illusion: Because GraphQL operates entirely within the HTTP body, traditional network-layer rate limiting (like Nginx limit_req or WAFs) is fundamentally blind to it. An attacker can use “Query Batching” or “Aliases” to pack 10,000 login attempts into a single HTTP request. The proxy sees one harmless request and allows it, but the backend processes all 10,000 operations.

// Nginx sees 1 HTTP Request. The backend processes 3 separate logins. 
query { 
	try1: login(user: "admin", pass: "123") { token } 
	try2: login(user: "admin", pass: "password") { token } 
	try3: login(user: "admin", pass: "admin") { token } 
}

Graph Path Denial of Service (DoS): GraphQL inherently allows querying relationships. If relationships are bidirectional (e.g., a User has Friends, and Friends are also Users), an attacker can request a massive, infinitely nested query (User -> Friends -> User -> Friends). If the server does not enforce a “Max Query Depth”, parsing this single request will consume all server RAM/CPU and instantly crash the Node/Python backend.

Exploitation

• GraphQL - Batching Attack

• (incomplete) GraphQL - Introspection Exploitation

• (incomplete) GraphQL - Depth-based DoS

• (incomplete) GraphQL - IDOR via Insecure Resolvers

• (incomplete) GraphQL - Injection Attack

Related Usage

TABLE creation_date AS "Created" 
FROM "05 - Content" 
WHERE contains(techniques, this.file.link) AND contains(tags, "🚩") 
SORT file.name ASC

Mitigation

• Fix 1: Disable Introspection in Production. Attackers cannot easily query what they cannot see.

• Fix 2: Implement Query Depth & Complexity Limits. Assign a “cost” to each resolver and reject queries that exceed a maximum computational threshold.

• Fix 3: Execution-Layer Rate Limiting. Do not rely on Nginx or WAFs. Rate limits must be applied inside the GraphQL application layer, tracking the number of operations performed, not just the number of HTTP requests received.

---

References:

• OWASP GraphQL Cheat Sheet

• PayloadsAllTheThings - GraphQL Injection