# GraphQL ## Tools Install this and point it to the target {% embed url="" %} ## Initial Testing ``` query{__typename} should return {"__typename": "query"}} ``` ## Enumeration Introspection to view the entire structure of the storage, and available queries to run {% code overflow="wrap" %} ``` {__schema{types{name,fields{name}}}} {__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}} {__schema{queryType{name}mutationType{name}subscriptionType{name}types{…FullType}directives{name description locations args{…InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated :true){name description args{…InputValue}type{…TypeRef}isDeprecated deprecationReason}inputFields{…InputValue}interfaces{…TypeRef}enumValues(includeDeprecated :true){name description isDeprecated deprecationReason}possibleTypes{…TypeRef}}fragment InputValue on __InputValue{name description type{…TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}} ``` {% endcode %} ## Exploit Examples ### Mutation to modify data ``` mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}} mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}} ``` ### Querying IDOR Use IDOR to see if you can access data that is not listed ``` query{product(id: 3) {id name listed}} ``` ### Batching Attacks To bypass rate-limiting, a you can send multiple queries in a single GraphQL payload
## Exploits Write Ups {% embed url="" %} Vulnerability lies in not ensuring the order ID belongs to a user ID. When an order is deleted, the amount is refunded to any user ID that is entered in the field {% embed url="" %} SQL injection leading to crafting arbitrary GraphQL queries. Introspection leaked the schema, which allowed the attacker to query sensitive data. {% embed url="" %} Basic introspection leading to querying of sensitive information ## Mitigations * If your API is not intended for use by the general public, disable introspection on it. * If your API is intended for use by the general public then you will likely need to leave introspection enabled. However, you should review the API's schema to make sure that it does not expose unintended fields to the public. * Make sure that suggestions are disabled. This prevents attackers from being able to use Clairvoyance or similar tools to glean information about the underlying schema. You cannot disable suggestions directly in Apollo. * Make sure that your API's schema does not expose any private user fields, such as email addresses or user IDs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sheepwall.gitbook.io/home/hacking/exploitation/graphql.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.