diff --git a/docs/assets/img/web/GraphQL_Batching_Attack.png b/docs/assets/img/web/GraphQL_Batching_Attack.png new file mode 100644 index 0000000..dbcf3ab Binary files /dev/null and b/docs/assets/img/web/GraphQL_Batching_Attack.png differ diff --git a/docs/web/authentication.md b/docs/web/authentication.md index 3128881..44286b0 100644 --- a/docs/web/authentication.md +++ b/docs/web/authentication.md @@ -5,6 +5,8 @@ description: Authentication enumeration and bruteforce cheatsheet # Authentication enumeration / bruteforce +## Methodology + - Enumeration depending on : - Response - Code (ex: 302 redirection) @@ -17,3 +19,11 @@ description: Authentication enumeration and bruteforce cheatsheet - Bypass 2FA - Bruteforce 2FA Token - Use the token of another account + +## GraphQL Batching Attack + +A batching attack refers to abusing this batch query feature to perform many GraphQL operations within one single web request. The batching attack helps facilitate brute force attacks by reducing the total number of potential requests needed to be successful. + +Example with OTP token bruteforcing : + +![GraphQL_Batching_Attack.png](/assets/img/web/GraphQL_Batching_Attack.png) \ No newline at end of file