Notes
  • πŸ‘€About me
  • ℹ️Good Reads
  • 🌐Web
    • Web Pentesting Checklist
    • Insecure Deserialization
    • Blind XPath Injection
    • GraphQL
    • Reverse Shells
      • IIS
    • Content-Security-Policy
      • XSS (Static Nonce in CSP)
    • LLM (Large Language Models)
  • πŸ“˜Windows API
    • C# - P/Invoke
  • β˜•Miscellaneous Topics
    • Phishing with Gophish
    • Pentest Diaries
      • SQL Queries via Grafana
      • LDAP Pass Back Attack
      • Misconfigured File Upload to RCE
  • πŸ§ƒHack The Box
    • Intelligence
    • Seal
    • Under Construction
    • Previse
    • Return
    • Sauna
    • Nest
  • πŸ“•TryHackMe
    • Wordpress CVE-2021-29447
    • Attacktiv
    • Fortress
    • internal
  • πŸ› οΈCheatsheet
    • Anti-Forensic Techniques
    • JSON - jq
    • Docker
    • Hidden Secrets
    • Database Exploitation
      • PostgreSQL
        • Blind SQLi script
      • SQL Server
    • C Sharp
    • Reversing
      • Windows
    • SSH
    • Python
      • Miscellaneous Scripts
        • Credential Bruteforcing a CLI service
    • Privilege Escalation
      • Windows
    • socat
    • OSINT
      • Shodan
    • Installation
Powered by GitBook
On this page
  • Testing Methodology
  • 1. Discovery
  • 2. Schema via Introspection Query
  • 3. Burp Active Scan of GraphQL operations
  • 4. Access endpoint without a token or Authorization header
  • 5. Injection
  • 6. IDOR eg. variables
  • 7. DOS
  • 8. Deprecated Operations/Fields

Was this helpful?

  1. Web

GraphQL

Various test cases

PreviousBlind XPath InjectionNextReverse Shells

Last updated 4 years ago

Was this helpful?

Testing Methodology

1. Discovery

In order to check if the current web application/service has a potential GraphQL endpoint, we can use a combination of generic endpoints like "/graphql", "graphiql", etc. with(out) versioning like "/v1/graphql". Below is a generic wordlist compiled:

2. Schema via Introspection Query

{"query": "query IntrospectionQuery {schema {queryType { name },mutationType { name },subscriptionType { name },types {...FullType},directives {name,description,args {...InputValue},onOperation,onFragment,onField}}}\nfragment FullType on Type {kind,name,description,fields(includeDeprecated: true) {name,description,args {...InputValue},type {...TypeRef},isDeprecated,deprecationReason},inputFields {...InputValue},interfaces {...TypeRef},enumValues(includeDeprecated: true) {name,description,isDeprecated,deprecationReason},possibleTypes {...TypeRef}}\nfragment InputValue on InputValue {name,description,type { ...TypeRef },defaultValue}\nfragment TypeRef on Type {kind,name,ofType {kind,name,ofType {kind,name,ofType {kind,name}}}}"}

What if it’s disabled? Use field suggestions to craft a query step-by-step. For eg. In the below request, we are trying to find if an operation "getData" is available by supplying an incomplete operation name "getd".

{"operationName":"xyz","variables":{},"query":"query xyz {getd }"}

3. Burp Active Scan of GraphQL operations

We would be using "GraphQL Raider" Burp extension and Burp Intruder to configure the insertion points in GraphQL operations.

Steps:

  1. Download the burp extension "GraphQL Raider".

  2. Send the request in burp history to repeater.

  3. Observe the insertion points using "GraphQL Raider".

  4. Send the request to burp intruder.

  5. Highlight the insertion points observed in step 3.

  6. Now, Select Intruder > Scan defined insertion points.

4. Access endpoint without a token or Authorization header

5. Injection

  • [OS Command Injection, SQLi or NoSQLi]

6. IDOR eg. variables

7. DOS

  • Batching Query [can be used for 2FA bypass] eg. [{query 1}, {query 2}]

  • Deep Recursion Query

8. Deprecated Operations/Fields

🌐
698B
discovery.txt