GraphQL Array-based Query Batching Allowed: Potential Batching Attack Vulnerability

Your web application is running with GraphQL Array-based Query Batching enabled, allowing 10+ simultaneous queries in a single request. GraphQL Query Batching is a feature that permits multiple queries to be sent to the server in a single request, reducing server processing overhead. While this feature is beneficial in certain use cases, it can also be exploited by malicious actors to perform batching attacks, which involve sending a large number of GraphQL operations within a single web request.

Allowing GraphQL Array-based Query Batching with 10+ simultaneous queries in a production environment can lead to potential abuse by attackers. They can perform brute force attacks more efficiently by reducing the total number of required requests, thereby shortening the attack time and complexity. Sensitive functionalities like Two-Factor Authentication, login mechanisms, username enumeration, and identifier enumeration are particularly susceptible to batching attacks. Additionally, it may lead to Denial of Service (DoS) attacks on GraphQL APIs, impacting the availability and performance of the web application for legitimate users.

Limit Query Batching: Implement restrictions on the number of allowed queries in a single batch request to reduce the potential impact of a batching attack.