add graphql batching attack

xanhacks · Dec 4, 2022 · 9938300 · 9938300
1 parent c5e3df4
commit 9938300
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/docs/assets/img/web/GraphQL_Batching_Attack.png b/docs/assets/img/web/GraphQL_Batching_Attack.png
diff --git a/docs/web/authentication.md b/docs/web/authentication.md
@@ -5,6 +5,8 @@ description: Authentication enumeration and bruteforce cheatsheet
 
 # Authentication enumeration / bruteforce 
 
+## Methodology
+
 - Enumeration depending on :
     - Response
         - Code (ex: 302 redirection)
@@ -17,3 +19,11 @@ description: Authentication enumeration and bruteforce cheatsheet
 - Bypass 2FA
     - Bruteforce 2FA Token
     - Use the token of another account
+
+## GraphQL Batching Attack 
+
+A batching attack refers to abusing this batch query feature to perform many GraphQL operations within one single web request. The batching attack helps facilitate brute force attacks by reducing the total number of potential requests needed to be successful.
+
+Example with OTP token bruteforcing :
+
+![GraphQL_Batching_Attack.png](/assets/img/web/GraphQL_Batching_Attack.png)