GraphQL

Tools

Install this and point it to the target

GitHub - graphql/graphql-playground: 🎮 GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration)GitHub

Initial Testing

query{__typename}

should return

{"__typename": "query"}}

Enumeration

Introspection to view the entire structure of the storage, and available queries to run

{__schema{types{name,fields{name}}}}

{__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{…FullType}directives{name description locations args{…InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated :true){name description args{…InputValue}type{…TypeRef}isDeprecated deprecationReason}inputFields{…InputValue}interfaces{…TypeRef}enumValues(includeDeprecated :true){name description isDeprecated deprecationReason}possibleTypes{…TypeRef}}fragment InputValue on __InputValue{name description type{…TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

Exploit Examples

Mutation to modify data

mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}}
mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}

Querying IDOR

Use IDOR to see if you can access data that is not listed

query{product(id: 3) {id name listed}}

Batching Attacks

To bypass rate-limiting, a you can send multiple queries in a single GraphQL payload

Exploits Write Ups

CTFtime.org / SEC-T CTF / Dark market / WriteupCTFtime

Vulnerability lies in not ensuring the order ID belongs to a user ID. When an order is deleted, the amount is refunded to any user ID that is entered in the field

Misc CTF - GraphQL Injectionhg8's Notes — My notes about infosec world. Pentest/Bug Bounty/CTF Writeups.

SQL injection leading to crafting arbitrary GraphQL queries. Introspection leaked the schema, which allowed the attacker to query sensitive data.

Constellations

Basic introspection leading to querying of sensitive information

Mitigations

• If your API is not intended for use by the general public, disable introspection on it.

• If your API is intended for use by the general public then you will likely need to leave introspection enabled. However, you should review the API's schema to make sure that it does not expose unintended fields to the public.

• Make sure that suggestions are disabled. This prevents attackers from being able to use Clairvoyance or similar tools to glean information about the underlying schema. You cannot disable suggestions directly in Apollo.

• Make sure that your API's schema does not expose any private user fields, such as email addresses or user IDs.