added header

network-services-pentesting/pentesting-web/graphql.md

@@ -325,7 +325,7 @@ Mutation could even lead to account take over trying to modify other account dat
   "query":"mutation updateProfile($username: String!,...){updateProfile(username: $username,...){...}}"
 }
 ```
-
+### Bypass authorization in GraphQL
 [Chaining queries](https://s1n1st3r.gitbook.io/theb10g/graphql-query-authentication-bypass-vuln) together can bypass a weak authentication system.
 
 In the below example you can see that the operation is "forgotPassword" and that it should only execute the forgotPassword query associated with it. This can be bypassed by adding a query to the end, in this case we add "register" and a user variable for the system to register as a new user.