HawkScan Test Info for GraphQL Batch Query Supported

GraphQL Batch Query Supported

Reference

Plugin Id: 90052 | CWE: 400

Resource

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

Remediation

To mitigate GraphQL batch query abuse vulnerabilities, implement the following security controls:

Disable batch queries if not required: If your application doesn’t need batch query functionality, disable it at the server level.

Example (Apollo Server):

const server = new ApolloServer({
  typeDefs,
  resolvers,
  plugins: [
    {
      requestDidStart() {
        return {
          willSendResponse(requestContext) {
            // Reject batch requests
            if (Array.isArray(requestContext.request.query)) {
              throw new Error('Batch queries are not allowed');
            }
          }
        };
      }
    }
  ]
});

Implement query complexity analysis: Use query cost analysis to prevent expensive batch operations.

Example (GraphQL Cost Analysis):

const costAnalysis = require('graphql-cost-analysis');
   
const server = new ApolloServer({
  typeDefs,
  resolvers,
  plugins: [
    costAnalysis({
      maximumCost: 1000,
      onComplete: (cost) => {
        console.log('Query cost:', cost);
      }
    })
  ]
});

Implement rate limiting: Apply rate limiting specifically for batch operations to prevent abuse.

Example (Express Rate Limit):

const rateLimit = require('express-rate-limit');
   
const batchLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // limit each IP to 5 batch requests per windowMs
  skip: (req) => !Array.isArray(req.body) // only apply to batch requests
});
   
app.use('/graphql', batchLimiter);

Limit batch size: If batch queries are necessary, implement limits on the number of operations per batch request.

About

GraphQL batch queries allow multiple operations to be sent in a single HTTP request, which can improve performance by reducing network overhead. However, this feature can be abused by attackers to bypass rate limiting, overwhelm servers with multiple expensive operations, or circumvent query cost analysis that doesn’t account for batch operations. This vulnerability is detected by first obtaining the GraphQL schema through introspection and then testing whether the endpoint accepts batch query arrays.

Risks

The risks associated with unsecured GraphQL batch query support include:

Rate limiting bypass: Attackers can send multiple queries in a single request to bypass per-request rate limits.
Resource exhaustion: Multiple expensive operations in a single batch can cause CPU, memory, or database connection exhaustion.
Amplification attacks: Batch queries can amplify the impact of resource-intensive operations, leading to denial of service.
Cost analysis bypass: Query cost analysis that doesn’t account for batch operations may underestimate the true cost of requests.