GraphQL

ko-fi

https://xmind.ai/share/gQBGfaVW
https://xmind.ai/share/gQBGfaVW

Found a target using GraphQL?

  1. Run the introspection query to map out all methods

  2. Use GraphQL Voyager to display all methods

  3. Use BatchQL or the InQL extension to test all methods for IDORs, SQLi, SSRF, etc

Definition

  • Query is an operation to retrieve data (read).

  • Mutation is an operation used to submit and write data (create, update, and delete).

  • Subscription is an operation used to send data (read) when an event occurs. Subscription is a way for GraphQL clients to listen to live updates from the server.

Detection

LogoGitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub
LogoWorking with GraphQL in Burp Suite - PortSwiggerBurp_Suite

Basics

LogoGraphQL cheatsheetDevhints.io cheatsheets

Fingerprinting

LogoGitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub
LogoGitHub - nicholasaleks/graphql-threat-matrix: GraphQL threat framework used by security professionals to research security gaps in GraphQL implementationsGitHub

Scan

Logographql.security - Is your GraphQL application secure?graphql.security

Introspection enabled

LogoGitHub - APIs-guru/graphql-voyager: 🛰️ Represent any GraphQL API as an interactive graphGitHub

Introspection disabled

Error Messages

LogoGitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema even if the introspection is disabledGitHub

JS Files

  1. Download all js files to directory js_files

  2. Run this command:

Scan endpoints

Wordlists

LogoGitHub - Escape-Technologies/graphql-wordlist: The only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas.GitHub

IDOR

IDOR

Change the internalId field

Add extra field

Initial query

Modified query

Path Traversal

File Inclusion LFI / RFI

Mass Asignement - mutation

Mass Assignment

Initial query

Modified query - role added

CSRF

LogoHow to Perform CSRF Attack in GraphQL APIMedium

Bypassing rate limits

LogoGitHub - nicholasaleks/CrackQL: CrackQL is a GraphQL password brute-force and fuzzing utility.GitHub

Batching attack

Logo👉GraphQL Batching AttackWallarm

Tool: batchql

SQL injection

LogoMisc CTF - GraphQL Injectionhg8's Notes — My notes about infosec world. Pentest/Bug Bounty/CTF Writeups.

Get all informations about the API schema:

Ex:

SQL injection - Time based

Automated - Graphqlmap

NoSQL Injection

NoSQL injection

Use $regex, $ne frominside a search parameter.

LDAP Injection

LDAP Injection

Command injection

Command Injection

XSS

XSS

HTML Injection

DoS throught batched queries

Wordlists

LogoSecLists/Discovery/Web-Content/graphql.txt at master · danielmiessler/SecListsGitHub
LogoGitHub - Escape-Technologies/graphql-wordlist: The only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas.GitHub

GraphQL Raider - Burp Extension

LogoGraphQL Raiderportswigger.net

InQL

Burp Extension

LogoGitHub - doyensec/inql: InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.GitHub
LogoInQL - GraphQL Scannerportswigger.net

CLI

LogoInQL Scanner · Doyensec's Blogblog.doyensec.com

Tools

LogoGitHub - omar2535/GraphQLer: 🔍A cutting edge context aware GraphQL API fuzzing tool!GitHub
LogoGitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)GitHub
LogoGitHub - doyensec/GQLSpection: GQLSpection - parses GraphQL introspection schema and generates possible queriesGitHub
LogoGitHub - assetnote/batchql: GraphQL security auditing script with a focus on performing batch GraphQL queries and mutationsGitHub
LogoGitHub - dolevf/graphql-cop: Security Auditor Utility for GraphQL APIsGitHub
LogoGitHub - gsmith257-cyber/GraphCrawler: GraphQL automated security testing toolkitGitHub
Logodee-see / graphql-path-enum · GitLabGitLab

Interesting Book

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

  • Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fi

buymeacoffee

Interesting Reports

1. https://hackerone.com/reports/2048725

2. https://hackerone.com/reports/2524939

3. https://hackerone.com/reports/2357012

4. https://hackerone.com/reports/2122671

5. https://hackerone.com/reports/2207248

6. https://hackerone.com/reports/1864188

7. https://hackerone.com/reports/1085332

8. https://hackerone.com/reports/1084904

9. https://hackerone.com/reports/1293377

10. https://hackerone.com/reports/1192460

Resources

https://inigo.io/blog/graphql_injection_attacksinigo.io
LogoGraphQL API vulnerabilities | Web Security AcademyWebSecAcademy
LogoFive easy ways to hack GraphQL targetsIntigriti
LogoHacking GraphQL endpoints in Bug Bounty ProgramsYesWeHack
LogoHacking GraphQL endpoints in Bug Bounty ProgramsYesWeHack
LogoGraphQL API Vulnerabilities, Common Attacks & Security TipsVAADATA - Ethical Hacking Services
LogoGraphQL Injection · kali/master · Kali Linux / Packages / payloadsallthethings · GitLabGitLab
PreviousRate LimitingNextTools & Scanners

Last updated