GRAPHQL Hacking Presented by Anugrah SR

ANUGRAH S R Cyber Security consultant and Security Researcher Bugbounty Hunter Synack Red Team Member Hacked and secured multiple organisations including Apple, Redbull, Sony, Dell, Netflix and many more Twitter: @cyph3r_asr | LinkedIn: anugrah-sr Blog: www.anugrahsr.in Connect with me

AGENDA What is GraphQL? Why GraphQL? Reconnaissance / Discovery Hacking GraphQL

Bug bounty hunter: $$$$ Pentester/ VAPT: Amazing finding to your report Developer : Make your app more secure

‌ GraphQL is an open-source data query language and data manipulation language for APIs, and a query runtime engine. GraphQL is a query language that was created by Facebook and made public in 2015. It offers an alternative to using REST APIs for data retrieval.‌ ‌

‌ GraphQL was created for more flexible and efficient API development. It addresses the limitations and challenges of REST APIs. GraphQL provides greater flexibility compared to REST APIs. REST APIs require multiple round trips to the server to fetch data. GraphQL solves the need for multiple round trips to the server by allowing developers to specify the data they need in a single request. Why GraphQL?

REST vs GraphQL

Avoid Over- and Underfetching: we only fetch what we need from the server by constructing our query to only include what we need. Prevent multiple API calls: In case you need more data, you can also avoid making multiple calls to your API. In the case above, you don't need to make 2 API calls to fetch /order and /product separately. API Versioning: When the need for new features arises, you can easily add additional fields, queries, mutations, etc. to the server without affecting other parts of the application. Additionally, it is easier to remove old features. Self-documenting: Every GraphQL API conforms to a "schema" which is the graph data model and what kinds of queries a client can make. Why GraphQL?

Who is using GraphQL?

/graphql /graphql/console /graphql.php /graphiql.php /explorer /altair /playground Reconnaissance / Discovery https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

Fuzzing ffuf -w graphql.txt -u https://target/FUZZ Reconnaissance / Discovery Nuclei #List of targets nuclei -t graphql-detect.yaml -l target_domains.txt #Single target nuclei -t graphql-detect.yaml -u https://example.com

Graphw00f python3 main.py -f -d -t http://localhost:5000 Reconnaissance / Discovery https://github.com/dolevf/graphw00f https://github.com/nicholasaleks/graphql-threat-matrix/ GraphQL Threat Matrix Other tools for discovery goctopus graphinder

Introspection Query: Special type of query that can be used to retrieve the schema for a GraphQL API. This schema defines the types of data that the API can return, available fields for those types and the arguments that can be passed to those fields. Generating documentation for an API Helping to debug an issue with the schema. Where is the API documentation? What all API functions exist? query { __schema { types { name fields { name type { name kind } } } } }

GraphQL Voyager Schema visualization https://ivangoncharov.github.io/graphql-voyager/

clairvoyance What if Introspection query is disabled ? https://github.com/nikitastupin/clairvoyance Let's abuse GraphQL have a feature for fields and operations suggestions.

Burp Suite GraphQL Rider inQL Browser Extension Altair Recommended Tools/Extensions

GraphQL Operations

GraphQL Operations

GraphQL is soo good! or is it?

Information Disclosure

Information Disclosure - High

https://hackerone.com/reports/419883

https://www.vulnmachines.com http://hackme3.vulnmachines.com:8088/ HANDS-ON TIME

Denial of Service (DOS) Resource Intensive Query Attack Batch Query Attack Aliases based Attack Field Duplication Attack Deep Recursion Query Attack Unrestricted Resource Consumption

Server Side Request Forgery (SSRF) Allows an attacker to induce the server-side application to make requests to an unintended location.

Broken Object Level Authorization (BOLA) Broken Object Level Authorization, formerly Insecure Direct Object Reference (IDOR), remains the most significant risk for APIs, as it did in 2019.

Broken Authentication Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

Broken Object Property Level Authorization (BOPLA) It is crucial to verify that a user has the authorization to access the specific fields of a GraphQL object they are attempting to reach via the API. BOPLA is a new addition that combines the 2019 list’s Excess Data Exposure and Mass Assignment. recentLocation

Broken Function Level Authorization (BFLA) BFLA emphasizing the importance of proper logging and monitoring. It refers to a permission IDOR, whereby a regular user can perform an administrator-level task. An attacker could exploit a BFLA vulnerability to ban other users, whereas normally only a moderator can.

Lack of Protection from Automated Threats Developers should know this risk and implement measures to prevent excessive automated access to their business-sensitive API endpoints. Implement rate limiting, user behavior analysis, and CAPTCHAs to protect your API from excessive automated access.

Improper Inventory Management Developers should ensure they clearly understand their API inventory and maintain thorough documentation. Security by obscurity, a DevSecOps decides to close introspection from the production environment,but they keep it open on the public staging environment Introspection enabled: https://target.com - ❌ https://dev.target.com - ✅ https://staging.target.com - ✅ https://uat.taget.com - ✅

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. OS Command Injection

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. Stored XSS

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. SQL Injection

Resources Blogs https://github.com/Escape-Technologies/awesome-graphql-security https://www.acceis.fr/graphql-for-pentesters/ https://anugrahsr.in/graphql-pentesting-for-dummies_part1 https://anugrahsr.in/graphql-pentesting-for-dummies_part2 https://blog.postman.com/owasp-api-security-top-10-2023-and-graphql/ https://anmolksachan.github.io/graphql/ Labs https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application https://github.com/InsiderPhD/Generic-University

No content

EHACKIFY-100-OFF EHACKIFY-90-OFF For all exams. - 90% discount. Till Sunday.