Hacking GraphQL Zero to One Part-2
In the last article on this series, I covered basics of GraphQL. We learned about introspection, also tried a lab on parameter tampering. Let's continue from where we left off.
Lets's start with a lab. To solve it, we need to sign in as the administrator and delete the user Carlos.
Here the issue is in authentication flow.
Let's check the login API in repeater tab.
Run the introspection query to find all the parameters and schema involved.
In the repeater response, select GraphQL > Save GraphQL queries to sitemap.
This will add GraphQL endpoints into the scope, pretty useful feature.
Let's try out the getUser query in the repeater. Set the id =1 for the admin credential.
Now access the admin page and delete Carlos to solve the lab.
Usually, developers try to block the introspection by blocking the _Schema using a regex. To bypass we can use newline in the introspection query to bypass the regex. Another way is to change the request method form POST to GET. Or you can use x-www-form-urlencoded in the content-type header in a GET request. Eg:
GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D
Let's try another lab which has some defenses against introspection.
Lab: Finding a hidden GraphQL endpoint
At a single look,
we cannot see any GraphQL endpoints in any request.
Recommended by LinkedIn
We cannot run introspection because all APIs look like rest. There is no query used. Lets try common API endpoints. /api returns query not found. Its likely an GraphQL endpoint.
Lets verify with a simple query:
?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D
There is a GraphQL tab, just realized now !
Introspection query fails as expected.
Add a newline after __schema to bypass the protection.
Send the results to the scope, you will see a delete API, try different user ID until you delete Carlos id =3 to solve the lab.
I hope you liked today's article. Will try my best to post daily. My team is currently working on a tool called Live Review.
With LiveReview, you get fast, AI-powered code reviews that improve quality without slowing you down.
If you're tired of waiting for your peer to review your code or not confident that they'll provide valid feedback, here's LiveReview for you.