mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 10:26:09 +00:00
Hidden Parameters
This commit is contained in:
parent
e2e2da74ce
commit
b0dfcfd438
@ -33,6 +33,7 @@
|
||||
* [swisskyrepo/GraphQLmap](https://github.com/swisskyrepo/GraphQLmap) - Scripting engine to interact with a graphql endpoint for pentesting purposes
|
||||
* [doyensec/graph-ql](https://github.com/doyensec/graph-ql/) - GraphQL Security Research Material
|
||||
* [doyensec/inql](https://github.com/doyensec/inql) - A Burp Extension for GraphQL Security Testing
|
||||
* [doyensec/GQLSpection](https://github.com/doyensec/GQLSpection) - GQLSpection - parses GraphQL introspection schema and generates possible queries
|
||||
* [dee-see/graphql-path-enum](https://gitlab.com/dee-see/graphql-path-enum) - Lists the different ways of reaching a given type in a GraphQL schema
|
||||
* [andev-software/graphql-ide](https://github.com/andev-software/graphql-ide) - An extensive IDE for exploring GraphQL API's
|
||||
* [mchoji/clairvoyancex](https://github.com/mchoji/clairvoyancex) - Obtain GraphQL API schema despite disabled introspection
|
||||
@ -205,6 +206,9 @@ When you use an unknown keyword, the GraphQL backend will respond with a suggest
|
||||
}
|
||||
```
|
||||
|
||||
You can also try to bruteforce known keywords, field and type names using wordlists such as [Escape-Technologies/graphql-wordlist](https://github.com/Escape-Technologies/graphql-wordlist) when the schema of a GraphQL API is not accessible.
|
||||
|
||||
|
||||
|
||||
### Enumerate the types' definition
|
||||
|
||||
@ -271,7 +275,7 @@ example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
|
||||
|
||||
:warning: Don’t forget to escape the " inside the **options**.
|
||||
|
||||
```json
|
||||
```js
|
||||
{doctors(options: "{\"patients.ssn\" :1}"){firstName lastName id patients{ssn}}}
|
||||
```
|
||||
|
||||
@ -347,7 +351,7 @@ mutation {
|
||||
|
||||
Use `$regex`, `$ne` from []() inside a `search` parameter.
|
||||
|
||||
```json
|
||||
```js
|
||||
{
|
||||
doctors(
|
||||
options: "{\"limit\": 1, \"patients.ssn\" :1}",
|
||||
@ -363,7 +367,7 @@ Use `$regex`, `$ne` from []() inside a `search` parameter.
|
||||
|
||||
Send a single quote `'` inside a graphql parameter to trigger the SQL injection
|
||||
|
||||
```powershell
|
||||
```js
|
||||
{
|
||||
bacon(id: "1'") {
|
||||
id,
|
||||
@ -398,4 +402,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%
|
||||
* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417)
|
||||
* [GraphQL Batching Attack - RENATAWALLARM - DECEMBER 13, 2019](https://lab.wallarm.com/graphql-batching-attack/)
|
||||
* [GraphQL for Pentesters presentation by ACCEIS - 01/12/2022](https://acceis.github.io/prez-graphql/) - [source](https://github.com/Acceis/prez-graphql)
|
||||
* [Exploiting GraphQL - Aug 29, 2021 - AssetNote - Shubham Shah](https://blog.assetnote.io/2021/08/29/exploiting-graphql/)
|
||||
* [Exploiting GraphQL - Aug 29, 2021 - AssetNote - Shubham Shah](https://blog.assetnote.io/2021/08/29/exploiting-graphql/)
|
||||
* [Building a free open source GraphQL wordlist for penetration testing - Nohé Hinniger-Foray - Aug 17, 2023](https://escape.tech/blog/graphql-security-wordlist/)
|
51
Hidden Parameters/README.md
Normal file
51
Hidden Parameters/README.md
Normal file
@ -0,0 +1,51 @@
|
||||
# HTTP Hidden Parameters
|
||||
|
||||
> Web applications often have hidden or undocumented parameters that are not exposed in the user interface. Fuzzing can help discover these parameters, which might be vulnerable to various attacks.
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Exploit](#exploit)
|
||||
* [Bruteforce parameters](#bruteforce-parameters)
|
||||
* [Old parameters](#old-parameters)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) - Burp extension to identify hidden, unlinked parameters.
|
||||
* [s0md3v/Arjun](https://github.com/s0md3v/Arjun) - HTTP parameter discovery suite
|
||||
* [Sh1Yo/x8](https://github.com/Sh1Yo/x8) - Hidden parameters discovery suite
|
||||
* [tomnomnom/waybackurls](https://github.com/tomnomnom/waybackurls) - Fetch all the URLs that the Wayback Machine knows about for a domain
|
||||
* [devanshbatham/ParamSpider](https://github.com/devanshbatham/ParamSpider) - Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
|
||||
|
||||
|
||||
## Exploit
|
||||
|
||||
### Bruteforce parameters
|
||||
|
||||
* Use wordlists of common parameters and send them, look for unexpected behavior from the backend.
|
||||
```ps1
|
||||
x8 -u "https://example.com/" -w <wordlist>
|
||||
x8 -u "https://example.com/" -X POST -w <wordlist>
|
||||
```
|
||||
|
||||
Wordlist examples:
|
||||
- [Arjun/large.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/large.txt)
|
||||
- [Arjun/medium.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/medium.txt)
|
||||
- [Arjun/small.txt](https://github.com/s0md3v/Arjun/blob/master/arjun/db/small.txt)
|
||||
- [samlists/sam-cc-parameters-lowercase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-lowercase-all.txt)
|
||||
- [samlists/sam-cc-parameters-mixedcase-all.txt](https://github.com/the-xentropy/samlists/blob/main/sam-cc-parameters-mixedcase-all.txt)
|
||||
|
||||
### Old parameters
|
||||
|
||||
Explore all the URL from your targets to find old parameters.
|
||||
* Browse the [Wayback Machine](http://web.archive.org/)
|
||||
* Look through the JS files to discover unused parameters
|
||||
|
||||
|
||||
## References
|
||||
|
||||
* [Hacker tools: Arjun – The parameter discovery tool - 17TH MAY 2021 - Intigriti](https://blog.intigriti.com/2021/05/17/hacker-tools-arjun-the-parameter-discovery-tool/)
|
||||
* [Parameter Discovery: A quick guide to start - 20/04/2022 - YesWeHack](https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/)
|
||||
|
Loading…
Reference in New Issue
Block a user