Hacking

GRAPHQL Presented by
Anugrah SR
 ANUGRAH S R
Cyber Security consultant and Security Researcher
Bugbounty Hunter
Synack Red Team Member
Hacked and secured multiple organisations
including Apple, Redbull, Sony, Dell, Netflix and
many more

Blog: www.anugrahsr.in
Connect with me
Twitter: @cyph3r_asr | LinkedIn: anugrah-sr
 What is GraphQL?
Why GraphQL?
AGENDA Reconnaissance / Discovery
Hacking GraphQL
Bug bounty hunter: $$$$

Pentester/ VAPT: Amazing finding to your report

Developer : Make your app more secure

‌ raphQL is an open-source data query language and data manipulation language for
G
APIs, and a query runtime engine.

GraphQL is a query language that was created by Facebook and made public in 2015.

It offers an alternative to using REST APIs for data retrieval.‌‌

Why GraphQL?

‌ raphQL was created for more flexible and efficient API development.
G
It addresses the limitations and challenges of REST APIs.
GraphQL provides greater flexibility compared to REST APIs.
REST APIs require multiple round trips to the server to fetch data.
GraphQL solves the need for multiple round trips to the server by allowing
developers to specify the data they need in a single request.
REST vs GraphQL
Why GraphQL?

Avoid Over- and Underfetching: we only fetch what we need from the server by
constructing our query to only include what we need.
Prevent multiple API calls: In case you need more data, you can also avoid
making multiple calls to your API. In the case above, you don't need to make 2 API
calls to fetch /order and /product separately.
API Versioning: When the need for new features arises, you can easily add
additional fields, queries, mutations, etc. to the server without affecting other
parts of the application. Additionally, it is easier to remove old features.
Self-documenting: Every GraphQL API conforms to a "schema" which is the
graph data model and what kinds of queries a client can make.
Who is using GraphQL?
 Reconnaissance / Discovery

/graphql
/graphql/console
/graphql.php
/graphiql.php
/explorer
/altair
/playground

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt
 Reconnaissance / Discovery

Fuzzing
ffuf -w graphql.txt -u https://target/FUZZ

Nuclei
#List of targets

nuclei -t graphql-detect.yaml -l target_domains.txt

#Single target

nuclei -t graphql-detect.yaml -u https://example.com

 Reconnaissance / Discovery
Graphw00f
python3 main.py -f -d -t http://localhost:5000
GraphQL Threat Matrix

Other tools for discovery

goctopus
https://github.com/dolevf/graphw00f graphinder
https://github.com/nicholasaleks/graphql-threat-matrix/
 Where is the API documentation?
What all API functions exist?
Introspection Query:
Special type of query that can be used to retrieve the schema for a GraphQL API.

This schema defines the types of data that the API can return, available fields for
those types and the arguments that can be passed to those fields.

Generating documentation for an API

Helping to debug an issue with the schema.

query { __schema { types { name fields { name type { name kind } } } } }

 Schema visualization
GraphQL Voyager https://ivangoncharov.github.io/graphql-voyager/
 What if Introspection query is disabled ?

Let's abuse GraphQL have a feature for fields and operations suggestions.

clairvoyance https://github.com/nikitastupin/clairvoyance
 Recommended Tools/Extensions

Burp Suite
GraphQL Rider
inQL
Browser Extension
Altair
GraphQL Operations
GraphQL Operations
GraphQL is soo good! or is it?
Information Disclosure
Information Disclosure - High
https://hackerone.com/reports/419883
HANDS-ON TIME

http://hackme3.vulnmachines.com:8088/

https://www.vulnmachines.com
Denial of Service (DOS)
Unrestricted Resource Consumption

Resource Intensive Query Attack

Batch Query Attack
Aliases based Attack
Field Duplication Attack
Deep Recursion Query Attack
Server Side Request Forgery (SSRF)
Allows an attacker to induce the server-side application to make requests
to an unintended location.
Broken Object Level Authorization (BOLA)
Broken Object Level Authorization, formerly Insecure Direct Object Reference
(IDOR), remains the most significant risk for APIs, as it did in 2019.
Broken Authentication
Authentication is “broken” when attackers are able to compromise passwords, keys
or session tokens, user account information, and other details to assume user
identities.
Broken Object Property Level Authorization (BOPLA)
It is crucial to verify that a user has the authorization to access the specific fields of
a GraphQL object they are attempting to reach via the API.
BOPLA is a new addition that combines the 2019 list’s Excess Data Exposure and
Mass Assignment.

recentLocation
Broken Function Level Authorization (BFLA)
BFLA emphasizing the importance of proper logging and monitoring. It refers to a
permission IDOR, whereby a regular user can perform an administrator-level task.

An attacker could exploit a BFLA vulnerability to ban other users, whereas normally
only a moderator can.
Lack of Protection from Automated Threats
Developers should know this risk and implement measures to prevent excessive
automated access to their business-sensitive API endpoints.

Implement rate limiting, user behavior analysis, and CAPTCHAs to protect your API
from excessive automated access.
Improper Inventory Management
Developers should ensure they clearly understand their API inventory and maintain
thorough documentation.

Security by obscurity, a DevSecOps decides to close introspection from the

production environment,but they keep it open on the public staging environment

Introspection enabled:
https://target.com -❌
https://dev.target.com - ✅
https://staging.target.com -✅
https://uat.taget.com - ✅
Injection Attacks
An attacker supplies untrusted input to a program. This input gets processed by an
interpreter as part of a command or query. In turn, this alters the execution of that
program.

OS Command Injection
Injection Attacks
An attacker supplies untrusted input to a program. This input gets processed by an
interpreter as part of a command or query. In turn, this alters the execution of that
program.

Stored XSS
Injection Attacks
An attacker supplies untrusted input to a program. This input gets processed by an
interpreter as part of a command or query. In turn, this alters the execution of that
program.

SQL Injection
Resources
Blogs
https://github.com/Escape-Technologies/awesome-graphql-security
https://www.acceis.fr/graphql-for-pentesters/
https://anugrahsr.in/graphql-pentesting-for-dummies_part1
https://anugrahsr.in/graphql-pentesting-for-dummies_part2
https://blog.postman.com/owasp-api-security-top-10-2023-and-graphql/
https://anmolksachan.github.io/graphql/
Labs
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
https://github.com/InsiderPhD/Generic-University
 EHACKIFY-100-OFF

EHACKIFY-90-OFF

For all exams. - 90% discount.

Till Sunday.