$ exploit --chain graphql-batching --target /graphql --rate-limit nginx
- Root cause: GraphQL batching bypassed request-based rate limits
- Barrier: 20 req/min at nginx
- Bypass: pack 2000 aliases per request, split into 5 requests
- Impact: brute-force OTP in minutes