update: more matchers + description + reference
parent
a003e24add
commit
1df275d0ae
|
@ -1,25 +0,0 @@
|
|||
id: graphql-alias-based-batching
|
||||
|
||||
info:
|
||||
name: GraphQL Alias-based Batching
|
||||
author: Dolev Farhi
|
||||
severity: low
|
||||
description: GraphQL allows batching multiple queries using Aliases
|
||||
reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /graphql HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "nuclei6"
|
||||
case-insensitive: true
|
|
@ -0,0 +1,41 @@
|
|||
id: graphql-alias-batching
|
||||
|
||||
info:
|
||||
name: GraphQL Alias-based Batching
|
||||
author: Dolev Farhi
|
||||
severity: low
|
||||
description: |
|
||||
GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
|
||||
However, an attacker can leverage this feature to evade many security measures, including rate limit.
|
||||
reference:
|
||||
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
|
||||
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
|
||||
- https://graphql.security/
|
||||
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
|
||||
remediation: |
|
||||
Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /graphql HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"data":'
|
||||
- '"nuclei1":'
|
||||
- '"nuclei6":'
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
|
@ -1,11 +1,18 @@
|
|||
id: graphql-array-based-batching
|
||||
id: graphql-array-batching
|
||||
|
||||
info:
|
||||
name: GraphQL Array-based Batching
|
||||
author: Dolev Farhi
|
||||
severity: low
|
||||
description: GraphQL Allows Batching Requests using Arrays
|
||||
reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
|
||||
description: |
|
||||
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
|
||||
However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
|
||||
reference:
|
||||
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
|
||||
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
|
||||
- https://graphql.security/
|
||||
remediation: |
|
||||
Deactivate or limit Batching in your GraphQL engine.
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
|
@ -17,10 +24,17 @@ requests:
|
|||
|
||||
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Query"
|
||||
- "Mutations"
|
||||
- ':"Query"'
|
||||
- ':"Mutations"'
|
||||
case-insensitive: true
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
|
@ -0,0 +1,37 @@
|
|||
id: graphql-field-suggestion
|
||||
|
||||
info:
|
||||
name: GraphQL Field Suggestion Information Disclosure
|
||||
author: Dolev Farhi
|
||||
severity: info
|
||||
description: |
|
||||
If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
|
||||
By default, GraphQL backends have a feature for fields and operations suggestions.
|
||||
If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
|
||||
reference:
|
||||
- https://github.com/webonyx/graphql-php/issues/454
|
||||
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
|
||||
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
|
||||
- https://graphql.security
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /graphql HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Did you mean"
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
|
@ -1,24 +0,0 @@
|
|||
id: graphql-field-suggestions
|
||||
|
||||
info:
|
||||
name: GraphQL Field Suggestion Enabled
|
||||
author: Dolev Farhi
|
||||
severity: low
|
||||
description: GraphQL Allows Enumeration of Schema through Field Suggestions
|
||||
reference: https://github.com/webonyx/graphql-php/issues/454
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST /graphql HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/json
|
||||
|
||||
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Did you mean"
|
|
@ -1,21 +0,0 @@
|
|||
id: graphql-get-method-support
|
||||
|
||||
info:
|
||||
name: GraphQL Allows GET method
|
||||
author: Dolev Farhi
|
||||
severity: low
|
||||
description: GraphQL Allows querying using the GET method
|
||||
reference: https://graphql.org/learn/serving-over-http/#get-request
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/graphql?query={__typename}"
|
||||
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- "Query"
|
||||
case-insensitive: true
|
|
@ -0,0 +1,36 @@
|
|||
id: graphql-get-method
|
||||
|
||||
info:
|
||||
name: GraphQL CSRF / GET method
|
||||
author: Dolev Farhi
|
||||
severity: info
|
||||
description: |
|
||||
Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
|
||||
Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
|
||||
reference:
|
||||
- https://graphql.org/learn/serving-over-http/#get-request
|
||||
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
|
||||
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
|
||||
- https://graphql.security/
|
||||
tags: graphql
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
path:
|
||||
- "{{BaseURL}}/graphql?query={__typename}"
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: body
|
||||
words:
|
||||
- '"query"'
|
||||
- '"data"'
|
||||
- '"__typename"'
|
||||
case-insensitive: true
|
||||
condition: and
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
||||
- "application/json"
|
Loading…
Reference in New Issue