Denial of Service :: Batch Query Attack


Problem Statement

GraphQL supports Request Batching. Batched requests are processed one after the other by GraphQL, which makes it a good candidate for Denial of Service attacks, as well as other attacks such as Brute Force and Enumeration.

If a resource intensive GraphQL query is identified, an attacker may leverage batch processing to call the query and potentially overwhelm the service for a prolonged period of time.

The query systemUpdate seems to be taking a long time to complete, and can be used to overwhelm the server by batching a system update request query.

Resources
Exploitation Solution