WENDIGO: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL

GraphQL is a type of web API which enables a unified endpoint for an application's resources through its own query language, and is widely adopted by companies such as Meta, GitHub, X, and PayPal. The query-based structure of GraphQL is designed to reduce the over-/under-fetching typical of REST web APIs. Consequently, GraphQL allows attackers to perform Denial-of-Service (DoS) attacks through queries inducing higher server loads with fewer requests. However, with the additional complexity introduced by GraphQL, ensuring applications are not vulnerable to DoS is not trivial. We propose WENDIGO, a black-box Deep Reinforcement Learning (DRL) approach only requiring the GraphQL schema to discover DoS exploitable queries against target applications. For example, our approach is able to discover queries which can perform a DoS attack utilizing only two GraphQL requests per hour, as opposed to the high volume of traffic required by traditional DoS attacks. WENDIGO achieves this by building increasingly more complex queries while maximizing response time by using GraphQL features to increase the server load. The effective query discovery offered by WENDIGO, not only enables developers to test for potential DoS risk in their GraphQL applications but also showcases DRL's value in security problems such as this one.