From e73bd170f55253c2106757a0e4603f83eafdbd82 Mon Sep 17 00:00:00 2001 From: rashmibharambe <93034034+rashmibharambe@users.noreply.github.com> Date: Mon, 23 Oct 2023 19:05:57 +0530 Subject: [PATCH 1/3] Write test to detect Rate limit bypass on GraphQL APIs --- .../RateLimitBypassGraphQL.yaml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml diff --git a/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml new file mode 100644 index 00000000..c11d0b5f --- /dev/null +++ b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml @@ -0,0 +1,48 @@ +id: RATE_LIMIT_BYPASS_GRAPHQL +info: + name: "Rate Limit Bypass Vulnerability in GraphQL" + description: "The GraphQL specification allows multiple requests to be sent in a single request by batching them together." + details: > + "The GraphQL specification allows multiple requests to be sent in a single request by batching them together. If the developers did not implement some mechanism to prevent the sending of batch requests, you could potentially bypass the rate limit by sending queries in a single request." + impact: "If the developers did not implement some mechanism to prevent the sending of batch requests, you could potentially bypass the rate limit by sending queries in a single request." + category: + name: RL + shortName: Lack of Resources & Rate Limiting + displayName: Lack of Resources & Rate Limiting (RL) + subCategory: RATE_LIMIT_BYPASS_GRAPHQL + severity: MEDIUM + tags: + - GraphQL + - Business logic + - OWASP top 10 + - HackerOne top 10 + references: + - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits" + cwe: + - CWE-287 + +api_selection_filters: + response_code: + gte: 200 + lt: 300 + request_payload: + extract: reqPayloadVar + contains_either: mutation + url: + contains_either: graphql + +execute: + type: single + requests: + - req: + replace_body: ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} + +validate: + response_code: + gte: 200 + lt: 300 + response_payload: + percentage_match: + gt: 80 + length: + gt: 0 From ca497d2a73d7c78b5f5922af9c22e62e887c61ae Mon Sep 17 00:00:00 2001 From: rashmibharambe <93034034+rashmibharambe@users.noreply.github.com> Date: Mon, 23 Oct 2023 22:42:56 +0530 Subject: [PATCH 2/3] Update RateLimitBypassGraphQL.yaml --- .../RateLimitBypassGraphQL.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml index c11d0b5f..c01950bb 100644 --- a/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml +++ b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml @@ -35,14 +35,11 @@ execute: type: single requests: - req: - replace_body: ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} + replace_body: ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} validate: response_code: gte: 200 lt: 300 response_payload: - percentage_match: - gt: 80 - length: - gt: 0 + contains_either: .*limit.* From 4bd9b8e7a289215d22fe30a93f8395491fed8c3d Mon Sep 17 00:00:00 2001 From: rashmibharambe <93034034+rashmibharambe@users.noreply.github.com> Date: Thu, 26 Oct 2023 22:27:32 +0530 Subject: [PATCH 3/3] Update RateLimitBypassGraphQL.yaml --- Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml index c01950bb..57fcd56f 100644 --- a/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml +++ b/Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml @@ -35,7 +35,7 @@ execute: type: single requests: - req: - replace_body: ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} ${reqPayloadVar} + replace_body: "mutation {${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar} }" validate: response_code: