2022-03-15 13:13:35 +00:00
|
|
|
id: graphql-field-suggestion
|
|
|
|
|
|
|
|
|
|
info:
|
|
|
|
|
name: GraphQL Field Suggestion Information Disclosure
|
|
|
|
|
author: Dolev Farhi
|
|
|
|
|
severity: info
|
|
|
|
|
description: |
|
|
|
|
|
If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
|
|
|
|
|
By default, GraphQL backends have a feature for fields and operations suggestions.
|
|
|
|
|
If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
|
|
|
|
|
reference:
|
|
|
|
|
- https://github.com/webonyx/graphql-php/issues/454
|
|
|
|
|
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
|
|
|
|
|
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
|
|
|
|
|
- https://graphql.security
|
2023-06-02 23:20:49 +00:00
|
|
|
tags: graphql,misconfig
|
2023-04-28 08:11:21 +00:00
|
|
|
metadata:
|
|
|
|
|
max-request: 2
|
2022-03-15 13:13:35 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2022-03-15 13:13:35 +00:00
|
|
|
- raw:
|
|
|
|
|
- |
|
|
|
|
|
POST /graphql HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
|
|
|
|
|
|
2022-07-26 05:19:58 +00:00
|
|
|
- |
|
|
|
|
|
POST /api/graphql HTTP/1.1
|
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
Content-Type: application/json
|
|
|
|
|
|
|
|
|
|
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
|
|
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
2022-03-15 13:13:35 +00:00
|
|
|
matchers-condition: and
|
|
|
|
|
matchers:
|
|
|
|
|
- type: word
|
|
|
|
|
part: body
|
|
|
|
|
words:
|
|
|
|
|
- "Did you mean"
|
|
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
|
part: header
|
|
|
|
|
words:
|
2022-07-26 05:19:58 +00:00
|
|
|
- "application/json"
|
