2 min read

Exploiting GraphQL Aliases

Exploiting GraphQL Aliases


GraphQL is an API query language that allows developers to write clean code, and get as much data as they want from a single query. GraphQL uses a single endpoint like /graphql or /api/graphql and HTTP method can be POST or GET. It have queries to read data and mutations to update data.

Example GraphQL Query

GraphQL is simplicity.

Here, the query name is stores with variable <storesIds> and value "watsons". Fields present in the query are id, name and storeId. The response contains the data that is requested within the fields.

GraphQL Aliases

Aliases allows a user to get two or more results from the same query. User can use different or same arguments and the response will contains results with different argument or same arguments results respectively.

Here, two aliases are present of stores Query with same argument values and the response is having two results for both aliases.

Extra Load and Denial of Service

Denial of Service occurs when a server denies to respond to the requests because it already have so much load on it. This extra load can be created by sending so many requests to the server or by sending one or few requests that can exhaust the capacities of the server.

Suppose that <stores> query with these three fields (id, name and storeId) is giving 100 bytes data in response. With 10000 aliases, this response data will increase to 10000000 bytes or 1 MB in response. For a low-end web server, this is too much load.


  • Choose a query which has so many field because response will contain more data. If the normal query response is 1000 bytes then 10000 aliases will be 10 MB data in response now.
  • Use Altair GraphQL Client, GraphQL Voyager (Burpsuite Extension) or Burpsuite Repeater for noting down the response times and response size.


Currently, there is no disable feature directly from GraphQL to limit the  number of aliases used. Developers can use the library graphql-no-alias  which can limit number of aliases or some validation logic like a regex pattern match for *:string.

Developers can also use deny by default, but then aliases cannot be used. Only one mutation and one query per request is allowed.


  1. The graphql-no-alias library: https://github.com/ivandotv/graphql-no-alias
  2. The Tool used is  https://chrome.google.com/webstore/detail/altair-graphql-client/flnheeellpciglgpaodhkhmapeljopja
Happy GraphQL Hacking !!