Skip to content

⛏️ Write test to detect Rate limit bypass on GraphQL APIs #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
6 tasks
Ankita28g opened this issue Mar 4, 2023 · 7 comments
Open
6 tasks

⛏️ Write test to detect Rate limit bypass on GraphQL APIs #110

Ankita28g opened this issue Mar 4, 2023 · 7 comments
Assignees
@rashmibharambe
Labels
feature request Requesting a new feature good first issue Good for newcomers hacktoberfest test

Comments

@Ankita28g
Copy link
Contributor

Ankita28g commented Mar 4, 2023
edited by ankush-jain-akto
Loading

💭 Introduction:
https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits

📚 Reading
You can find a detailed documentation of test editor rules here
Find 100+ examples of YAML tests here

✅ Task summary:

  • Ask to be assigned to the issue.
  • Wait to be assigned. We will try to assign in less than 2 hours.
  • Fork the tests-library repository, create a new branch and commit the yaml file which will be called in your test.
  • Signup for Akto
  • Check in the Attempt tab, if the payload changes, then task is done.
  • Submit the PR here.

✌🏻 Hints:
You can build the yaml template by referring this link

🙋🏼‍♂️ Questions:
If you have questions, need any help, or just want to hang out, make sure to join us on our Discord server.
@Ankita28g Ankita28g added good first issue Good for newcomers feature request Requesting a new feature hackfest Hackathon - 24th march to 3rd april labels Mar 4, 2023
@Ankita28g Ankita28g changed the title Rate limit bypass - https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits ⚡️Add test to detect Rate limit bypass on GraphQL APIs Mar 4, 2023
@Ankita28g Ankita28g changed the title ⚡️Add test to detect Rate limit bypass on GraphQL APIs ⚡️Write test to detect Rate limit bypass on GraphQL APIs Mar 4, 2023
@Ankita28g Ankita28g changed the title ⚡️Write test to detect Rate limit bypass on GraphQL APIs ⛏️ Write test to detect Rate limit bypass on GraphQL APIs Mar 6, 2023
@Ankita28g Ankita28g added the test label Mar 7, 2023
@Ankita28g Ankita28g added hacktoberfest and removed hackfest Hackathon - 24th march to 3rd april labels Sep 29, 2023
@rashmibharambe
Copy link

@Ankita28g - could you please assign this to me.
I can work on this.

@avneesh-akto
Copy link
Contributor

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

@rashmibharambe rashmibharambe mentioned this issue Oct 23, 2023
Open
@rashmibharambe
Copy link

I've assigned it to you, @rashmibharambe . Happy hacking! Feel free to join our Discord if you need assistance.

@avneesh-akto - I have raised PR, also tested on tests editor before raising PR.
akto-api-security/tests-library#31

@shivam-rawat-akto
Copy link
Contributor

@rashmibharambe Thanks for trying out Akto,
In your test, you have concatenated the request multiple times, which will not work in actual graphql request,
In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query,
thats why your test won't work.
you can check it yourself in graphql playground available online.

@rashmibharambe
Copy link

@rashmibharambe Thanks for trying out Akto, In your test, you have concatenated the request multiple times, which will not work in actual graphql request, In one request you can send one "query" or "mutation",

such as "mutation { query1, query2, query3 .... } "

multiple mutations needs to be wrapped inside single mutation query, thats why your test won't work. you can check it yourself in graphql playground available online.

@shivam-rawat-akto I have made the changes to append multiple queries. Also referred hasura graphql playground, query is working with append as you suggested -
IMG_20231026_222923

@avneesh-akto
Copy link
Contributor

@shivam-rawat-akto Can you please review this

@shivam-rawat-akto
Copy link
Contributor

Hey @rashmibharambe, saw your changes,
you will have to extract the mutation query from request payload to concatenate
also can you please test it out yourself if your test works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rashmibharambe rashmibharambe

Labels
feature request Requesting a new feature good first issue Good for newcomers hacktoberfest test
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Ankita28g @avneesh-akto @rashmibharambe @shivam-rawat-akto