Write test to detect Rate limit bypass on GraphQL APIs

Lack-of-Resources-and-Rate-Limiting/RateLimitBypassGraphQL.yaml

@@ -0,0 +1,45 @@
+id: RATE_LIMIT_BYPASS_GRAPHQL
+info:
+  name: "Rate Limit Bypass Vulnerability in GraphQL"
+  description: "The GraphQL specification allows multiple requests to be sent in a single request by batching them together."
+  details: >
+          "The GraphQL specification allows multiple requests to be sent in a single request by batching them together. If the developers did not implement some mechanism to prevent the sending of batch requests, you could potentially bypass the rate limit by sending queries in a single request."
+  impact: "If the developers did not implement some mechanism to prevent the sending of batch requests, you could potentially bypass the rate limit by sending queries in a single request."
+  category:
+    name: RL
+    shortName: Lack of Resources & Rate Limiting
+    displayName: Lack of Resources & Rate Limiting (RL)
+  subCategory: RATE_LIMIT_BYPASS_GRAPHQL
+  severity: MEDIUM
+  tags:
+    - GraphQL
+    - Business logic
+    - OWASP top 10
+    - HackerOne top 10
+  references:
+    - "https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities#bypass-of-rate-limits"
+  cwe:
+    - CWE-287
+
+api_selection_filters:
+  response_code:
+    gte: 200
+    lt: 300
+  request_payload:
+    extract: reqPayloadVar
+    contains_either: mutation
+  url:
+    contains_either: graphql
+
+execute:
+  type: single
+  requests:
+    - req:
+        replace_body: "mutation {${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar}, ${reqPayloadVar} }"
+
+validate:
+  response_code:
+    gte: 200
+    lt: 300
+  response_payload:
+    contains_either: .*limit.*