Scribd
Upload
19 views14 pages

Graphql Attack

Uploaded by

0xt3st
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views14 pages

Graphql Attack

Uploaded by

0xt3st
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

GRAPHQL ATTACK

Date: 01/04/2021
Team: Sun* Cyber Security Research

Agenda
• What is this?
• REST vs GraphQL
• Basic Blocks
• Query
• Mutation
• How to test

What is the GraphQL?


GraphQL is an open-source data query and manipulation language for APIs, and a runtime
for fulfilling queries with existing data. GraphQL was developed internally by Facebook in
2012 before being publicly released in 2015.
• Powerful & Flexible
o Leaves most other decisions to the API designer
o GraphQL offers no requirements for the network, authorization, or pagination.

Sun * Cyber Security Team 1


REST vs GraphQL
Over the past decade, REST has become the standard (yet a fuzzy one) for designing web
APIs. It offers some great ideas, such as stateless servers and structured access to
resources. However, REST APIs have shown to be too inflexible to keep up with the rapidly
changing requirements of the clients that access them.
GraphQL was developed to cope with the need for more flexibility and efficiency! It solves
many of the shortcomings and inefficiencies that developers experience when interacting
with REST APIs.
REST GraphQL
• Multi endpoint • Only 1 endpoint
• Over fetching/Under fetching • Fetch only what you need
• Coupling with front-end • API change do not affect front-end
• Filter down the data • Strong schema and types
• Perform waterfall requests for • Receive exactly what you ask for
related data • No aggregating or filtering data
• Aggregate the data yourself

Sun * Cyber Security Team 2


Basic blocks

Schemas and Types

Sun * Cyber Security Team 3


Schemas and Types (2)

GraphQL Query

Sun * Cyber Security Team 4


Queries
• Arguments:
If the only thing we could do was traverse objects and their fields, GraphQL would
already be a very useful language for data fetching. But when you add the ability to
pass arguments to fields, things get much more interesting:

• Aliases:
If you have a sharp eye, you may have noticed that, since the result object fields
match the name of the field in the query but don't include arguments, you can't
directly query for the same field with different arguments:

Sun * Cyber Security Team 5


• Fragments:
Fragments let you construct sets of fields, and then include them in queries where you need to.
Here's an example of how you could solve the above situation using fragments

Mutations
GraphQL is similar - technically any query could be implemented to cause a data write. However, it's
useful to establish a convention that any operations that cause writes should be sent explicitly via a
mutation.

Sun * Cyber Security Team 6


How to exploit?
Enumerate endpoints:
o /graphql
o /playground
o /graphiql
o /graphql.php
o /graphql/console
o /altair
o …

Sun * Cyber Security Team 7


Tools to enumerate: https://github.com/APIs-guru/graphql-apis

Sun * Cyber Security Team 8


Bug can raise
• SQLi
• IDOR / BAC
• DOS
• Information Leak
• Attacks on Underlying APIs
SQL Injection exploit:

• Can work with sqlmap


• Tool: https://github.com/swisskyrepo/GraphQLmap (NoSQLi - GrapQLmap)

Sun * Cyber Security Team 9


IDOR / BAC / PE:
• GraphQL has no auth mechanism
o Depend on dev to enforce
• Leak sensitive fields
o User -> 403
o User -> Posts -> Comment -> Comment Author (User) -> private info
• PE with mutation

Sun * Cyber Security Team 10


DOS:
• With a large nested query in GraphQL, you can carry out a DOS attack.

Sun * Cyber Security Team 11


Information leak:
• Introspection Query
o Non public document fields
• Error
o File path
o Database schema
o ...

Attacks on Underlying APIs:


• Path Traversal break out of context

Sun * Cyber Security Team 12


List tools to check
• Burp Extension
o InQL
o GraphQL Raider
• Altair GraphQL Client
o https://altair.sirmuel.design/
o proxy to Burp: --proxy-server=http://127.0.0.1:8080
• GraphQL Path Enum
o https://gitlab.com/dee-see/graphql-path-enum
o How to reach a specific Type from query
▪ Demo
• GraphQL Voyager
o https://apis.guru/graphql-voyager/
• https://github.com/gwen001/pentest-tools/blob/master/graphql-introspection-
analyzer.py

Sun * Cyber Security Team 13


Refferences
• https://www.bugcrowd.com/resources/webinars/rest-in-peace-abusing-graphql-to-
attack-underlying-infrastructure/
• https://www.slideshare.net/NeeluTripathy2/pentesting-graphql-applications
• https://graphql.org/learn/
• https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-
vulnerabilities-5d39f26cea2e
• https://book.hacktricks.xyz/pentesting/pentesting-web/graphql
• https://carvesystems.com/news/the-5-most-common-graphql-security-
vulnerabilities/
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Inj
ection

Sun * Cyber Security Team 14

You might also like