diff --git a/network-services-pentesting/pentesting-web/graphql.md b/network-services-pentesting/pentesting-web/graphql.md index fb5c6d410..58df47af2 100644 --- a/network-services-pentesting/pentesting-web/graphql.md +++ b/network-services-pentesting/pentesting-web/graphql.md @@ -414,6 +414,34 @@ To bypass restrictions on introspection queries in APIs, inserting a **special c If unsuccessful, consider alternative request methods, such as **GET requests** or **POST with `x-www-form-urlencoded`**, since restrictions may apply only to POST requests. +### Try WebSockets + +As mentioned in [**this talk**](https://www.youtube.com/watch?v=tIo\_t5uUK50), check if it might be possible to connect to graphQL via WebSockets as that might allow you to bypass a potential WAF and make the websocket communication leak the schema of the graphQL: + +```javascript +ws = new WebSocket('wss://target/graphql', 'graphql-ws'); +ws.onopen = function start(event) { + var GQL_CALL = { + extensions: {}, + query: ` + { + __schema { + _types { + name + } + } + }` + } + + var graphqlMsg = { + type: 'GQL.START', + id: '1', + payload: GQL_CALL, + }; + ws.send(JSON.stringify(graphqlMsg)); +} +``` + ### **Discovering Exposed GraphQL Structures** When introspection is disabled, examining the website's source code for preloaded queries in JavaScript libraries is a useful strategy. These queries can be found using the `Sources` tab in developer tools, providing insights into the API's schema and revealing potentially **exposed sensitive queries**. The commands to search within the developer tools are: @@ -456,6 +484,16 @@ Also, abusing a [**XS-Search**](../../pentesting-web/xs-search/) **attack** migh For more information **check the** [**original post here**](https://blog.doyensec.com/2021/05/20/graphql-csrf.html). +## Cross-site WebSocket hijacking in GraphQL + +Similar to CRSF vulnerabilities abusing graphQL it's also possible to perform a **Cross-site WebSocket hijacking to abuse an authentication with GraphQL with unprotected cookies** and make a user perform unexpected actions in GraphQL. + +For more information check: + +{% content-ref url="../../pentesting-web/websocket-attacks.md" %} +[websocket-attacks.md](../../pentesting-web/websocket-attacks.md) +{% endcontent-ref %} + ## Authorization in GraphQL Many GraphQL functions defined on the endpoint might only check the authentication of the requester but not authorization. @@ -515,8 +553,10 @@ query isValidDiscount($code: Int) { * [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): Toolkit that can be used to grab schemas and search for sensitive data, test authorization, brute force schemas, and find paths to a given type. * [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): Can be used as standalone or [Burp extension](https://github.com/doyensec/inql). * [https://github.com/swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap): Can be used as a CLI client also to automate attacks -* [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): Tool that lists the different ways of reaching a given type in a GraphQL schema. +* [https://gitlab.com/dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum): Tool that lists the different ways of **reaching a given type in a GraphQL schema**. +* [https://github.com/doyensec/GQLSpection](https://github.com/doyensec/GQLSpection): The Successor of Standalone and CLI Modes os InQL * [https://github.com/doyensec/inql](https://github.com/doyensec/inql): Burp extension for advanced GraphQL testing. The _**Scanner**_ is the core of InQL v5.0, where you can analyze a GraphQL endpoint or a local introspection schema file. It auto-generates all possible queries and mutations, organizing them into a structured view for your analysis. The _**Attacker**_ component lets you run batch GraphQL attacks, which can be useful for circumventing poorly implemented rate limits. +* [https://github.com/nikitastupin/clairvoyance](https://github.com/nikitastupin/clairvoyance): Try to get the schema even with introspection disabled by using the help of some Graphql databases that will suggest the names of mutations and parameters. ### Clients