CVE-2024-40094 ENF (ExecutableNormalizedFields) Denial of Service Exploit This script exploits the CVE-2024-40094 vulnerability in graphql-java by triggering an ExecutableNormalizedFields (ENF) based denial of service. It builds a crafted GraphQL introspection query with deep nested aliases, designed to overwhelm the vulnerable server. Overview The script utilizes asynchronous requests to send a series of large introspection queries to a target GraphQL server. The queries are structured to exploit a specific vulnerability in how GraphQL servers handle deeply nested introspection queries. By triggering a large number of such queries in parallel, the script aims to cause a denial of service condition in vulnerable systems. Key Features: Asynchronous Execution: Uses asyncio and aiohttp for efficient, non-blocking requests. Parallel Requests: Launches multiple jobs (coroutines) to simulate simultaneous requests. Customizable Parameters: Several configuration options to control the number of requests, delay, and maximum requests per job. Logging: Optionally logs request results and errors to a file for analysis. Vulnerable Targets This exploit targets servers running a vulnerable version of graphql-java, specifically those that do not properly handle deeply nested introspection queries. Affected Systems: graphql-java servers (versions vulnerable to CVE-2024-40094) Installation To run the exploit, you need Python 3.7+ with the following dependencies: aiohttp for asynchronous…Read More