From 1df275d0ae4b5bf7305529ba764f9e430d1a06e8 Mon Sep 17 00:00:00 2001 From: sandeep Date: Tue, 15 Mar 2022 18:43:35 +0530 Subject: [PATCH] update: more matchers + description + reference --- .../graphql/graphql-alias-based-batching.yaml | 25 ----------- .../graphql/graphql-alias-batching.yaml | 41 +++++++++++++++++++ .../graphql/graphql-array-batching.yaml | 26 +++++++++--- .../graphql/graphql-field-suggestion.yaml | 37 +++++++++++++++++ .../graphql/graphql-field-suggestions.yaml | 24 ----------- .../graphql/graphql-get-method-support.yaml | 21 ---------- .../graphql/graphql-get-method.yaml | 36 ++++++++++++++++ 7 files changed, 134 insertions(+), 76 deletions(-) delete mode 100644 misconfiguration/graphql/graphql-alias-based-batching.yaml create mode 100644 misconfiguration/graphql/graphql-alias-batching.yaml create mode 100644 misconfiguration/graphql/graphql-field-suggestion.yaml delete mode 100644 misconfiguration/graphql/graphql-field-suggestions.yaml delete mode 100644 misconfiguration/graphql/graphql-get-method-support.yaml create mode 100644 misconfiguration/graphql/graphql-get-method.yaml diff --git a/misconfiguration/graphql/graphql-alias-based-batching.yaml b/misconfiguration/graphql/graphql-alias-based-batching.yaml deleted file mode 100644 index 1023a9f047..0000000000 --- a/misconfiguration/graphql/graphql-alias-based-batching.yaml +++ /dev/null @@ -1,25 +0,0 @@ -id: graphql-alias-based-batching - -info: - name: GraphQL Alias-based Batching - author: Dolev Farhi - severity: low - description: GraphQL allows batching multiple queries using Aliases - reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin - tags: graphql - -requests: - - raw: - - | - POST /graphql HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"} - - matchers: - - type: word - part: body - words: - - "nuclei6" - case-insensitive: true \ No newline at end of file diff --git a/misconfiguration/graphql/graphql-alias-batching.yaml b/misconfiguration/graphql/graphql-alias-batching.yaml new file mode 100644 index 0000000000..eec26f56fa --- /dev/null +++ b/misconfiguration/graphql/graphql-alias-batching.yaml @@ -0,0 +1,41 @@ +id: graphql-alias-batching + +info: + name: GraphQL Alias-based Batching + author: Dolev Farhi + severity: low + description: | + GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently. + However, an attacker can leverage this feature to evade many security measures, including rate limit. + reference: + - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application + - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html + - https://graphql.security/ + - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin + remediation: | + Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks. + tags: graphql + +requests: + - raw: + - | + POST /graphql HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"data":' + - '"nuclei1":' + - '"nuclei6":' + condition: and + + - type: word + part: header + words: + - "application/json" \ No newline at end of file diff --git a/misconfiguration/graphql/graphql-array-batching.yaml b/misconfiguration/graphql/graphql-array-batching.yaml index 43a12de8ba..be4e76b5a3 100644 --- a/misconfiguration/graphql/graphql-array-batching.yaml +++ b/misconfiguration/graphql/graphql-array-batching.yaml @@ -1,11 +1,18 @@ -id: graphql-array-based-batching +id: graphql-array-batching info: name: GraphQL Array-based Batching author: Dolev Farhi severity: low - description: GraphQL Allows Batching Requests using Arrays - reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin + description: | + Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently. + However, an attacker can leverage this feature to evade many security measures, including Rate Limit. + reference: + - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin + - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application + - https://graphql.security/ + remediation: | + Deactivate or limit Batching in your GraphQL engine. tags: graphql requests: @@ -17,10 +24,17 @@ requests: [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}] + matchers-condition: and matchers: - type: word part: body words: - - "Query" - - "Mutations" - case-insensitive: true \ No newline at end of file + - ':"Query"' + - ':"Mutations"' + case-insensitive: true + condition: and + + - type: word + part: header + words: + - "application/json" \ No newline at end of file diff --git a/misconfiguration/graphql/graphql-field-suggestion.yaml b/misconfiguration/graphql/graphql-field-suggestion.yaml new file mode 100644 index 0000000000..543825ebe8 --- /dev/null +++ b/misconfiguration/graphql/graphql-field-suggestion.yaml @@ -0,0 +1,37 @@ +id: graphql-field-suggestion + +info: + name: GraphQL Field Suggestion Information Disclosure + author: Dolev Farhi + severity: info + description: | + If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema. + By default, GraphQL backends have a feature for fields and operations suggestions. + If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt. + reference: + - https://github.com/webonyx/graphql-php/issues/454 + - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application + - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html + - https://graphql.security + tags: graphql + +requests: + - raw: + - | + POST /graphql HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"query":"query {\n __schema {\n directive\n }\n}","variables":null} + + matchers-condition: and + matchers: + - type: word + part: body + words: + - "Did you mean" + + - type: word + part: header + words: + - "application/json" \ No newline at end of file diff --git a/misconfiguration/graphql/graphql-field-suggestions.yaml b/misconfiguration/graphql/graphql-field-suggestions.yaml deleted file mode 100644 index 614ef63b4c..0000000000 --- a/misconfiguration/graphql/graphql-field-suggestions.yaml +++ /dev/null @@ -1,24 +0,0 @@ -id: graphql-field-suggestions - -info: - name: GraphQL Field Suggestion Enabled - author: Dolev Farhi - severity: low - description: GraphQL Allows Enumeration of Schema through Field Suggestions - reference: https://github.com/webonyx/graphql-php/issues/454 - tags: graphql - -requests: - - raw: - - | - POST /graphql HTTP/1.1 - Host: {{Hostname}} - Content-Type: application/json - - {"query":"query {\n __schema {\n directive\n }\n}","variables":null} - - matchers: - - type: word - part: body - words: - - "Did you mean" diff --git a/misconfiguration/graphql/graphql-get-method-support.yaml b/misconfiguration/graphql/graphql-get-method-support.yaml deleted file mode 100644 index a2a49e8dff..0000000000 --- a/misconfiguration/graphql/graphql-get-method-support.yaml +++ /dev/null @@ -1,21 +0,0 @@ -id: graphql-get-method-support - -info: - name: GraphQL Allows GET method - author: Dolev Farhi - severity: low - description: GraphQL Allows querying using the GET method - reference: https://graphql.org/learn/serving-over-http/#get-request - tags: graphql - -requests: - - method: GET - path: - - "{{BaseURL}}/graphql?query={__typename}" - - matchers: - - type: word - part: body - words: - - "Query" - case-insensitive: true \ No newline at end of file diff --git a/misconfiguration/graphql/graphql-get-method.yaml b/misconfiguration/graphql/graphql-get-method.yaml new file mode 100644 index 0000000000..d83c13f8b5 --- /dev/null +++ b/misconfiguration/graphql/graphql-get-method.yaml @@ -0,0 +1,36 @@ +id: graphql-get-method + +info: + name: GraphQL CSRF / GET method + author: Dolev Farhi + severity: info + description: | + Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API. + Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser. + reference: + - https://graphql.org/learn/serving-over-http/#get-request + - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application + - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html + - https://graphql.security/ + tags: graphql + +requests: + - method: GET + path: + - "{{BaseURL}}/graphql?query={__typename}" + + matchers-condition: and + matchers: + - type: word + part: body + words: + - '"query"' + - '"data"' + - '"__typename"' + case-insensitive: true + condition: and + + - type: word + part: header + words: + - "application/json" \ No newline at end of file