⛏️ Write test to detect Rate limit bypass on GraphQL APIs

akto-api-security / akto

Proactive, Open source API security → API discovery, Testing in CI/CD, Test Library with 150+ Tests, Add custom tests, Sensitive data exposure

https://www.akto.io/

MIT License

1.02k stars 196 forks source link

⛏️ Write test to detect Rate limit bypass on GraphQL APIs #110

Open Ankita28g opened 1 year ago

Ankita28g commented 1 year ago

💭 Introduction: https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits

📚 Reading You can find a detailed documentation of test editor rules here Find 100+ examples of YAML tests here

✅ Task summary:

[ ] Ask to be assigned to the issue.
[ ] Wait to be assigned. We will try to assign in less than 2 hours.
[ ] Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
[ ] Signup for Akto
[ ] Check in the Attempt tab, if the payload changes, then task is done.
[ ] Submit the PR here.

✌🏻 Hints: You can build the yaml template by referring this link

🙋🏼‍♂️ Questions: If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.

rashmibharambe commented 1 year ago

@Ankita28g - could you please assign this to me. I can work on this.

avneesh-akto commented 1 year ago

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

rashmibharambe commented 1 year ago

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

@avneesh-akto - I have raised PR, also tested on tests editor before raising PR. https://github.com/akto-api-security/tests-library/pull/31

shivam-rawat-akto commented 1 year ago

@rashmibharambe Thanks for trying out Akto, In your test, you have concatenated the request multiple times, which will not work in actual graphql request, In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query, thats why your test won't work. you can check it yourself in graphql playground available online.

rashmibharambe commented 1 year ago

@rashmibharambe Thanks for trying out Akto, In your test, you have concatenated the request multiple times, which will not work in actual graphql request, In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query, thats why your test won't work. you can check it yourself in graphql playground available online.

@shivam-rawat-akto I have made the changes to append multiple queries. Also referred hasura graphql playground, query is working with append as you suggested - IMG_20231026_222923

avneesh-akto commented 12 months ago

@shivam-rawat-akto Can you please review this

shivam-rawat-akto commented 12 months ago

Hey @rashmibharambe, saw your changes, you will have to extract the mutation query from request payload to concatenate also can you please test it out yourself if your test works?