Recently, I have learned a few new injection attacks and one of them is GraphQL Injection. Before we understand how the attack works, we need to first understand what is GraphQL is.
GraphQL is an open-source for the Data Query Language (DQL) and Data Manipulation Language(DML) where GraphQL was initially been developed by Facebook around 2012 and released around 2015. As people are aware of Web-Services Architectures such as REST have provided a more efficient and good alternative has become the main advantage.
However, GraphQL is been backed up from existing source code and not tied to any specific database format
GraphQL Vulnerabilities can be found by using the tools as mentioned below:
- GraphQL map (https://github.com/swisskyrepo/GraphQLmap)
- GraphQL Security Toolkit (https://github.com/doyensec/graph-ql/)
- GraphQL IDE (https://github.com/andev-software/graphql-ide)
Basic code for the GraphQL may look something like below:
var { graphql, buildSchema } = require('graphql'); // Construct a schema, using GraphQL schema language var schema = buildSchema(` type Query { hello: String } `); // The root provides a resolver function for each API endpoint var root = { hello: () => { return 'Hello world!'; }, }; // Run the GraphQL query '{ hello }' and print out the response graphql(schema, '{ hello }', root).then((response) => { console.log(response); });
Code Credit to : Getting Started with GraphQL.js
From the code above, we can made sure of the query response by checking if the application will reply the response.
Normally, we can received “GET Method Allow” back within the response from the application itself. You can check it by using Burpsuite tools or Curl method
The path that can be used for Path Traversal will be something which look like below:
- /graphql/
- /graphql/console/
- /graphql.php
After we have test using the query request, you can see something like
{
GraphQLid {
name,
type,
id,
}
}