GraphQL Templates

vulnerabilities/other/graphql-alias-based-batching.yaml

@@ -0,0 +1,26 @@
+id: graphql-alias-based-batching
+
+info:
+  name: GraphQL Alias-based Batching
+  author: Dolev Farhi
+  severity: low
+  description: GraphQL allows batching multiple queries using Aliases
+  reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
+
+    matchers:
+      - type: word
+        case-insensitive: true
+        words:
+          - "nuclei6"
+        part: body
+

vulnerabilities/other/graphql-array-batching.yaml

@@ -0,0 +1,26 @@
+id: graphql-array-based-batching
+
+info:
+  name: GraphQL Array-based Batching
+  author: Dolev Farhi
+  severity: low
+  description: GraphQL Allows Batching Requests using Arrays
+  reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
+
+    matchers:
+      - type: word
+        case-insensitive: true
+        words:
+          - "Query"
+          - "Mutations"
+        part: body

vulnerabilities/other/graphql-field-suggestions.yaml

@@ -0,0 +1,24 @@
+id: graphql-field-suggestions
+
+info:
+  name: GraphQL Field Suggestion Enabled
+  author: Dolev Farhi
+  severity: low
+  description: GraphQL Allows Enumeration of Schema through Field Suggestions
+  reference: https://github.com/webonyx/graphql-php/issues/454
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}
+
+    matchers:
+      - type: word
+        words:
+          - "Did you mean"
+        part: body

vulnerabilities/other/graphql-get-method-support.yaml

@@ -0,0 +1,22 @@
+id: graphql-get-method-support
+
+info:
+  name: GraphQL Allows GET method
+  author: Dolev Farhi
+  severity: low
+  description: GraphQL Allows querying using the GET method
+  reference: https://graphql.org/learn/serving-over-http/#get-request
+  tags: graphql
+
+requests:
+  - method: GET
+    path:
+     - "{{BaseURL}}/graphql?query={__typename}"
+
+    matchers:
+    - type: word
+      case-insensitive: true
+      words:
+        - "Query"
+      part: body
+