GraphQL exploitation β†’ πŸ’ΆπŸ’ΆπŸ’Ά

Parth Shukla
3 min readJun 24, 2021

--

Hello Folks πŸ‘‹,

Parth, this side from BUG XS team. In this blog I am going to discuss about GraphQL Injection. You can find my other write-ups here.

We discuss more about GRAPHQL exploitation in our bug bounty batches.DM BUG XS for more info ❀

Let’s get startedπŸ™Œ

ABOUT GRAPHQL

As we recognize GraphQL became initially advanced and used by Facebook as an internal query language and so the capabilities of GraphQL on the whole revolve around internal and improvement regions. GraphQL executes queries that uses type system with the data described. An important however often left out characteristic of GraphQL is the potential to invite GraphQL schema about the supported queries with the help of Introspection System.

WHAT IS GRAPHQL

  1. It is alternative to API standards like REST and SOAP
  2. It is an Query Language for API. It is used to interact and to fetch data from back-end.
  3. GraphQL are also written in JSON format.
  4. Unlike Rest API, GraphQL get all the data in a single request ( Check below Image)

Now, we have rough idea what is GraphQL. Let’s jump into finding.

FINDING

Lets us consider the target is redacted.com. Now there are many GraphQL endpoints. Thus, I suggest you to add this in your fuzzing list. Moreover, burp-suite will help you out with graphql endpoints. Some of the endpoints are:

  1. /graphql
  2. /graphiql
  3. /graphql.php or /graphql.php/debug=1
  4. /graphie/console/ β†’ Online GQL IDE to interact with back-end

I found /graphql endpoint while fuzzing with FFUF. So, now I tried if it has online IDE for graphql enabled for direct interaction with server. Unfortunately it was not there πŸ˜ͺ but that shouldn't put down your motivation because we don't expect online IDE directly unless you are on lab.

Now, Burpsuite is always to the rescue if you want to send manipulated request to the server. So I sent my request to repeater for further exploitation.

So, till now I found following points:

  1. GraphQL is enabled
  2. IDE is not enabled.

Introspection Query

Now, what does introspection query really do?

An introspection system can completely reveal the back-end system defined by developers including arguments,fields,types,descriptions,deprecated status of types and so on. This could easily give out the complete map of the back-end system along with the schema and directives. Thus, getting output for introspection query is still a vulnerability.

So, When I executed introspection query, it gave me output defining relations between fields, types, etc but as I wrote before GraphQL works in JSON. So, figuring out relations in JSON is really time taking. Nevertheless, we have apis-guru to the rescue. You can paste your introspection output and it will give you all the relations of all the fields and columns. You can check it out here.

With all the relations, I could even do a DOS attack on their server. :-/

So, till now I found following points:

  1. GraphQL is enabled
  2. IDE is not enabled
  3. Back-end system relations with the help of introspection

GRAPHQL MUTATION QUERIES

What are GraphQL mutation queries used for?

So, the answer is mutation queries are used to create , edit and delete data from back end system. After seeing the relations in introspection query I was able to figure out different methods, what I can edit and what can do real harm to the redacted.com. Now, I can call different methods with below query.

{
__schema{
queryType{
name
}
}
}

In query type you can mention what you would like to have. So, I tried to add data, in gave me authorization error but I guess I could edit data or delete data because it threw me different error which I knew how to solve. ( I never did this because they mentioned not to play around internal data πŸ˜‚).

Thus I reported this vulnearblity and was rewarded with πŸ’ΆπŸ’ΆπŸ’Ά.

If you read till here. Please feel free to connect on my community page

Instagram ( Community ) : https://www.instagram.com/bug_xs/

Website ( Community ) : https://www.bugxs.co/

Website (Personal ) : https://www.parthshu.com

I hope you found this productive! πŸ™Œ

--

--

Parth Shukla
Parth Shukla

Written by Parth Shukla

Security Analyst, Bug XS Community Leader

No responses yet