update: more matchers + description + reference

patch-1
sandeep 2022-03-15 18:43:35 +05:30
parent a003e24add
commit 1df275d0ae
7 changed files with 134 additions and 76 deletions

View File

@ -1,25 +0,0 @@
id: graphql-alias-based-batching
info:
name: GraphQL Alias-based Batching
author: Dolev Farhi
severity: low
description: GraphQL allows batching multiple queries using Aliases
reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
matchers:
- type: word
part: body
words:
- "nuclei6"
case-insensitive: true

View File

@ -0,0 +1,41 @@
id: graphql-alias-batching
info:
name: GraphQL Alias-based Batching
author: Dolev Farhi
severity: low
description: |
GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including rate limit.
reference:
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security/
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
remediation: |
Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"data":'
- '"nuclei1":'
- '"nuclei6":'
condition: and
- type: word
part: header
words:
- "application/json"

View File

@ -1,11 +1,18 @@
id: graphql-array-based-batching
id: graphql-array-batching
info:
name: GraphQL Array-based Batching
author: Dolev Farhi
severity: low
description: GraphQL Allows Batching Requests using Arrays
reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
description: |
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
reference:
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://graphql.security/
remediation: |
Deactivate or limit Batching in your GraphQL engine.
tags: graphql
requests:
@ -17,10 +24,17 @@ requests:
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Query"
- "Mutations"
- ':"Query"'
- ':"Mutations"'
case-insensitive: true
condition: and
- type: word
part: header
words:
- "application/json"

View File

@ -0,0 +1,37 @@
id: graphql-field-suggestion
info:
name: GraphQL Field Suggestion Information Disclosure
author: Dolev Farhi
severity: info
description: |
If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
By default, GraphQL backends have a feature for fields and operations suggestions.
If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
reference:
- https://github.com/webonyx/graphql-php/issues/454
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Did you mean"
- type: word
part: header
words:
- "application/json"

View File

@ -1,24 +0,0 @@
id: graphql-field-suggestions
info:
name: GraphQL Field Suggestion Enabled
author: Dolev Farhi
severity: low
description: GraphQL Allows Enumeration of Schema through Field Suggestions
reference: https://github.com/webonyx/graphql-php/issues/454
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
matchers:
- type: word
part: body
words:
- "Did you mean"

View File

@ -1,21 +0,0 @@
id: graphql-get-method-support
info:
name: GraphQL Allows GET method
author: Dolev Farhi
severity: low
description: GraphQL Allows querying using the GET method
reference: https://graphql.org/learn/serving-over-http/#get-request
tags: graphql
requests:
- method: GET
path:
- "{{BaseURL}}/graphql?query={__typename}"
matchers:
- type: word
part: body
words:
- "Query"
case-insensitive: true

View File

@ -0,0 +1,36 @@
id: graphql-get-method
info:
name: GraphQL CSRF / GET method
author: Dolev Farhi
severity: info
description: |
Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
reference:
- https://graphql.org/learn/serving-over-http/#get-request
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security/
tags: graphql
requests:
- method: GET
path:
- "{{BaseURL}}/graphql?query={__typename}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"query"'
- '"data"'
- '"__typename"'
case-insensitive: true
condition: and
- type: word
part: header
words:
- "application/json"