Clients
- https://altair.sirmuel.design/
General Resources
- https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
- https://labs.detectify.com/2018/03/14/graphql-abuse/
Basic Introspection
- https://github.com/gwen001/pentest-tools/blob/master/graphql-introspection-analyzer.py
Denial of Service Queries
- https://www.apollographql.com/blog/graphql/security/securing-your-graphql-api-from-malicious-queries/
URL-encoded Introspection
fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
GraphQL Infomation
GraphQL, a query language for APIs, was developed by Facebook. The GraphQL specification defines the structure and language for working with GraphQL.
The standard flow of GraphQL involves several components:
graph LR;
Client(Client) --> GQL_Query(GraphQL Query);
GQL_Query --> Query_Parser(Query Parser);
Query_Parser --> Schema(Schema);
Schema --> Resolver_Functions(Resolver Functions);
Resolver_Functions --> Database(Database);
Database --> Resolver_Functions;
Resolver_Functions --> Schema;
Schema --> GQL_Response(GraphQL Response);
GQL_Response --> Client;
Here’s a breakdown of the flow:
-
- The client sends a GraphQL query (GQL_Query) to the server.
-
- The GraphQL query is passed to the query parser (Query_Parser), which parses and validates the query syntax.
-
- The parsed query is then matched against the defined schema (Schema), which describes the available data and operations. Resolver functions (Resolver_Functions) are responsible for fetching the data specified in the query from the appropriate data sources, such as databases. The resolver functions interact with the database (Database) to retrieve or manipulate data.
-
- Once the resolver functions have obtained the requested data, it is returned back to the resolver functions.
-
- The resolver functions construct the GraphQL response (GQL_Response) by combining the fetched data with the requested fields and relationships specified in the query.
-
- The GraphQL response is then sent back to the client, completing the flow. This flow demonstrates how GraphQL enables clients to request specific data and receive a response tailored to their needs, reducing over-fetching or under-fetching of data.
GraphQL Schema are defined using SDL’s (Schema definition language) a typical syntax for defining two objects types are followed like
type User {
username: String
email: String
}`
type Location: {
Lat: Int
Long: Int
}
The way the SDL works is the type is defined as Object (User/Location) and these objects have fields which are object-specific attributes that have values assigned.
Eg The Objects are User and Location, User has the fields of username and email