GraphQL exploitation →

Hello Folks 👋,

Parth, this side from BUG XS team. In this blog I am going to discuss about GraphQL Injection. You can find my other write-ups here.

We discuss more about GRAPHQL exploitation in our bug bounty batches.DM BUG XS for more info ❤

Let’s get started🙌

As we recognize GraphQL became initially advanced and used by Facebook as an internal query language and so the capabilities of GraphQL on the whole revolve around internal and improvement regions. GraphQL executes queries that uses type system with the data described. An important however often left out characteristic of GraphQL is the potential to invite GraphQL schema about the supported queries with the help of Introspection System.

Now, we have rough idea what is GraphQL. Let’s jump into finding.

Lets us consider the target is redacted.com. Now there are many GraphQL endpoints. Thus, I suggest you to add this in your fuzzing list. Moreover, burp-suite will help you out with graphql endpoints. Some of the endpoints are:

I found /graphql endpoint while fuzzing with FFUF. So, now I tried if it has online IDE for graphql enabled for direct interaction with server. Unfortunately it was not there 😪 but that shouldn't put down your motivation because we don't expect online IDE directly unless you are on lab.

Now, Burpsuite is always to the rescue if you want to send manipulated request to the server. So I sent my request to repeater for further exploitation.

So, till now I found following points:

Now, what does introspection query really do?

An introspection system can completely reveal the back-end system defined by developers including arguments,fields,types,descriptions,deprecated status of types and so on. This could easily give out the complete map of the back-end system along with the schema and directives. Thus, getting output for introspection query is still a vulnerability.

So, When I executed introspection query, it gave me output defining relations between fields, types, etc but as I wrote before GraphQL works in JSON. So, figuring our relations in JSON is really time taking. Nevertheless, we have apis-guru to the rescue. You can paste your introspection output and it will give you all the relations of all the fields and columns. You can check it out here.

With all the relations, I could even do a DOS attack on their server. :-/

So, till now I found following points:

What are GraphQL mutation queries used for?

So, the answer is mutation queries are used to create , edit and delete data from back end system. After seeing the relations in introspection query I was able to figure out different methods, what I can edit and what can do real harm to the redacted.com. Now, I can call different methods with below query.

{
__schema{
queryType{
name
}
}
}

In query type you can mention what you would like to have. So, I tried to add data, in gave me authorization error but I guess I could edit data or delete data because it threw me different error which I knew how to solve. ( I never did this because they mentioned not to play around internal data 😂).

Thus I reported this vulnearblity and was rewarded with 💶💶💶.