2. Agenda
• What is GraphQL
• REST vs GraphQL
• Example for REST/GraphQL
• Architecture
• Basics
• Pentesting GraphQL
3. What Is GraphQL?
• New API standard that was invented and open-sourced by Facebook.
• GraphQL is a query language for APIs - not databases.
• It is database agnostic and effectively can be used in any context where an
API is used.
• GraphQL enables declarative data fetching.
• GraphQL is used in production by multiple companies such as GitHub,
Twitter, Coursera, etc.
4. REST vs GraphQL?
• Multiple Round Trips To Fetch Related Resources.
• Over Fetching / Under Fetching.
• Rapid Product Iterations on the Frontend.
• Benefits of a Schema & Type System
12. GraphQL Tip
• Pentesting an app that uses GraphQL? POST is more common, but
remember that it accepts GET too. URL encode & hit /graphql?query=. Eg,
a 'schema' request as GET:
https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an
ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a}
Thanks to https://twitter.com/coffeetocode
13. Enumeration
• Look for traffic sent via server to find graphql endpoint.
o/graphql/
o/graphql/console/
o/graphql.php
o/graphiql/
o/graphiql.php
• Try sending a request to API and error is : “Syntax Error: Expected Name, found }”.
This confirms graphql.
• GraphQL endpoints may have a GUI, if present we can check Docs directly.
14. Introspection
• GraphQL allows querying to get metadata via introspection query to find
out about the schema with description of data.
• It is similar to information_schema tables in databases.
• It allows attacker to find what requests exist/what arguments should be
passed.
• GraphQL Introspection Query:
https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d
• Developers can disable this feature but majority of applications leave it
open.
• Hands-On : Hackerone
Ref: https://graphqlmastery.com/blog/graphql-introspection-
and-introspection-queries
15. Injection
• Most of the applications are connected with any database. So there is a
high chance for SQL injection, NoSQL injection and other injections.
• Detecting SQL injection and exploiting it using UNION SELECT.
• Also using sqlmap for exploitation.
• There are high chance that application may have multiple parameters
vulnerable to SQL injections.
• Example : https://blog.usejournal.com/time-based-blind-sql-injection-in-
graphql-39a25a1dfb3c
• Hands On: https://pentesterlab.com/exercises/graphql_ii/course
16. Information Disclosure
• GraphQL is just a layer between client apps and the database.
• Try visiting url/graphql.php?debug=1 to find debug mode and additional
error reporting.
• Inserting single quote/double quote to find out error related to server
and graphql.
• Going through the id values/userquery, we will be able to get information
about other users (or maybe not, if everything is configured correctly).
17. Broken Access Control
• Broken Access control may allow attacker use admin email and brute-force
login credentials to get admin level access.
• Steps to reproduce:
• Accessing other users profile details like id, email.
• Vulnerable graphql query:
query{
users{
id
email
isAdmin isActive } }
18. Authorization Bypass
• Suppose we can create users:
mutation {
createPerson (username: ”User1", password: ”user1") { } }
• Assuming that there is a certain isAdmin parameter in the handler on the
server, we can send a request of the form:
mutation {
createPerson (username: ”User1", password: ”user1", isAdmin: True) { } }
• And make the user User1 an administrator.
19. Brute Force/Denial Of Service
• Brute forcing email, id, etc parameters.
• Brute forcing mutation and other similar queries.
• Low privilege or non-admin user can view details by brute-forcing login
credentials where rate limiting is not present.
• Nested queries can cause denial of service to the application.
query {
stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{
comment author{ comments{ comment author{ name }} }
} } }
} } }
} } }
