akto icon indicating copy to clipboard operation
akto copied to clipboard

Published 20 hours ago verified publisher icon akto-api-security

⛏️ Write test to detect Rate limit bypass on GraphQL APIs

Open Ankita28g opened this issue 1 year ago • 7 comments

💭 Introduction: https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits

📚 Reading You can find a detailed documentation of test editor rules here Find 100+ examples of YAML tests here

✅ Task summary:

  • [ ] Ask to be assigned to the issue.
  • [ ] Wait to be assigned. We will try to assign in less than 2 hours.
  • [ ] Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
  • [ ] Signup for Akto
  • [ ] Check in the Attempt tab, if the payload changes, then task is done.
  • [ ] Submit the PR here.

✌🏻 Hints: You can build the yaml template by referring this link

🙋🏼‍♂️ Questions: If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

Ankita28g avatar Mar 04 '23 11:03 Ankita28g

@Ankita28g - could you please assign this to me. I can work on this.

rashmibharambe avatar Oct 20 '23 13:10 rashmibharambe

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

avneesh-akto avatar Oct 22 '23 13:10 avneesh-akto

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

@avneesh-akto - I have raised PR, also tested on tests editor before raising PR. https://github.com/akto-api-security/tests-library/pull/31

rashmibharambe avatar Oct 25 '23 06:10 rashmibharambe

@rashmibharambe Thanks for trying out Akto, In your test, you have concatenated the request multiple times, which will not work in actual graphql request, In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query, thats why your test won't work. you can check it yourself in graphql playground available online.

shivam-rawat-akto avatar Oct 26 '23 08:10 shivam-rawat-akto

@rashmibharambe Thanks for trying out Akto, In your test, you have concatenated the request multiple times, which will not work in actual graphql request, In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query, thats why your test won't work. you can check it yourself in graphql playground available online.

@shivam-rawat-akto I have made the changes to append multiple queries. Also referred hasura graphql playground, query is working with append as you suggested - IMG_20231026_222923

rashmibharambe avatar Oct 26 '23 17:10 rashmibharambe

@shivam-rawat-akto Can you please review this

avneesh-akto avatar Oct 27 '23 10:10 avneesh-akto

Hey @rashmibharambe, saw your changes, you will have to extract the mutation query from request payload to concatenate also can you please test it out yourself if your test works?

shivam-rawat-akto avatar Oct 31 '23 05:10 shivam-rawat-akto