From 3787b0594c145014d82bc501691d46606b2a2e54 Mon Sep 17 00:00:00 2001 From: Dolev Farhi Date: Tue, 8 Mar 2022 14:03:10 -0500 Subject: [PATCH] GraphQL Templates --- .../other/graphql-alias-based-batching.yaml | 26 +++++++++++++++++++ .../other/graphql-array-batching.yaml | 26 +++++++++++++++++++ .../other/graphql-field-suggestions.yaml | 24 +++++++++++++++++ .../other/graphql-get-method-support.yaml | 22 ++++++++++++++++ 4 files changed, 98 insertions(+) create mode 100644 vulnerabilities/other/graphql-alias-based-batching.yaml create mode 100644 vulnerabilities/other/graphql-array-batching.yaml create mode 100644 vulnerabilities/other/graphql-field-suggestions.yaml create mode 100644 vulnerabilities/other/graphql-get-method-support.yaml diff --git a/vulnerabilities/other/graphql-alias-based-batching.yaml b/vulnerabilities/other/graphql-alias-based-batching.yaml new file mode 100644 index 0000000000..ba299fb452 --- /dev/null +++ b/vulnerabilities/other/graphql-alias-based-batching.yaml @@ -0,0 +1,26 @@ +id: graphql-alias-based-batching + +info: + name: GraphQL Alias-based Batching + author: Dolev Farhi + severity: low + description: GraphQL allows batching multiple queries using Aliases + reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin + tags: graphql + +requests: + - raw: + - | + POST /graphql HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"} + + matchers: + - type: word + case-insensitive: true + words: + - "nuclei6" + part: body + diff --git a/vulnerabilities/other/graphql-array-batching.yaml b/vulnerabilities/other/graphql-array-batching.yaml new file mode 100644 index 0000000000..b5d50eb532 --- /dev/null +++ b/vulnerabilities/other/graphql-array-batching.yaml @@ -0,0 +1,26 @@ +id: graphql-array-based-batching + +info: + name: GraphQL Array-based Batching + author: Dolev Farhi + severity: low + description: GraphQL Allows Batching Requests using Arrays + reference: https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin + tags: graphql + +requests: + - raw: + - | + POST /graphql HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}] + + matchers: + - type: word + case-insensitive: true + words: + - "Query" + - "Mutations" + part: body diff --git a/vulnerabilities/other/graphql-field-suggestions.yaml b/vulnerabilities/other/graphql-field-suggestions.yaml new file mode 100644 index 0000000000..2d32035f89 --- /dev/null +++ b/vulnerabilities/other/graphql-field-suggestions.yaml @@ -0,0 +1,24 @@ +id: graphql-field-suggestions + +info: + name: GraphQL Field Suggestion Enabled + author: Dolev Farhi + severity: low + description: GraphQL Allows Enumeration of Schema through Field Suggestions + reference: https://github.com/webonyx/graphql-php/issues/454 + tags: graphql + +requests: + - raw: + - | + POST /graphql HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + {"query":"query {\n __schema {\n directive\n }\n}","variables":null} + + matchers: + - type: word + words: + - "Did you mean" + part: body diff --git a/vulnerabilities/other/graphql-get-method-support.yaml b/vulnerabilities/other/graphql-get-method-support.yaml new file mode 100644 index 0000000000..cc21d1ef0b --- /dev/null +++ b/vulnerabilities/other/graphql-get-method-support.yaml @@ -0,0 +1,22 @@ +id: graphql-get-method-support + +info: + name: GraphQL Allows GET method + author: Dolev Farhi + severity: low + description: GraphQL Allows querying using the GET method + reference: https://graphql.org/learn/serving-over-http/#get-request + tags: graphql + +requests: + - method: GET + path: + - "{{BaseURL}}/graphql?query={__typename}" + + matchers: + - type: word + case-insensitive: true + words: + - "Query" + part: body +