creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-graphql-depth-limit-attack/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

42 lines
1.6 KiB
Markdown
Raw Blame History

# API Reference — Performing GraphQL Depth Limit Attack
## Libraries Used
- **requests**: Send GraphQL queries with depth/width/batch payloads
- **time**: Measure response latency for resource exhaustion detection
## CLI Interface
```
python agent.py depth --url <endpoint> [--max-depth 20] [--auth-header "Bearer token"]
python agent.py circular --url <endpoint> --type-a User --field-a posts --type-b Post --field-b author [--depth 10]
python agent.py batch --url <endpoint> [--count 50]
python agent.py width --url <endpoint> [--width 50] [--depth 5]
```
## Core Functions
### `build_nested_query(field_name, depth, leaf)` — Construct nested query payload
Generates progressively deeper GraphQL queries for depth limit probing.
### `test_depth_limit(url, max_depth, headers)` — Probe depth enforcement
Sends queries at increasing depth (1 to max_depth). Classifies severity:
HIGH (>=15 allowed), MEDIUM (>=8), LOW (<8).
### `test_circular_query(url, type_a, field_a, type_b, field_b, depth)` — Test circular references
Builds alternating A.field_a -> B.field_b chains to test circular query handling.
### `test_batch_query(url, count, headers)` — Test batch query bypass
Sends array of N queries to check if batching bypasses per-query depth limits.
### `test_resource_exhaustion(url, width, depth, headers)` — Test wide+deep queries
Combines field width (aliases) with nesting depth. Flags SLOW_RESPONSE if >5s.
## Severity Classification
- **HIGH**: No depth limit or limit >= 15 levels
- **MEDIUM**: Depth limit 8-14 or batch queries accepted
- **LOW**: Depth limit < 8 with proper enforcement
## Dependencies
```
pip install requests
```
Reference in New Issue View Git Blame Copy Permalink