Merge pull request #3866 from dolevf/master

GraphQL Nuclei Templates
patch-1
Sandeep Singh 2022-03-15 19:13:28 +05:30 committed by GitHub
commit cca29dd553
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 154 additions and 0 deletions

View File

@ -0,0 +1,41 @@
id: graphql-alias-batching
info:
name: GraphQL Alias-based Batching
author: Dolev Farhi
severity: low
description: |
GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including rate limit.
reference:
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security/
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
remediation: |
Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"data":'
- '"nuclei1":'
- '"nuclei6":'
condition: and
- type: word
part: header
words:
- "application/json"

View File

@ -0,0 +1,40 @@
id: graphql-array-batching
info:
name: GraphQL Array-based Batching
author: Dolev Farhi
severity: low
description: |
Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
reference:
- https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://graphql.security/
remediation: |
Deactivate or limit Batching in your GraphQL engine.
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
[{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
matchers-condition: and
matchers:
- type: word
part: body
words:
- ':"Query"'
- ':"Mutations"'
case-insensitive: true
condition: and
- type: word
part: header
words:
- "application/json"

View File

@ -0,0 +1,37 @@
id: graphql-field-suggestion
info:
name: GraphQL Field Suggestion Information Disclosure
author: Dolev Farhi
severity: info
description: |
If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
By default, GraphQL backends have a feature for fields and operations suggestions.
If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
reference:
- https://github.com/webonyx/graphql-php/issues/454
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security
tags: graphql
requests:
- raw:
- |
POST /graphql HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"query":"query {\n __schema {\n directive\n }\n}","variables":null}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Did you mean"
- type: word
part: header
words:
- "application/json"

View File

@ -0,0 +1,36 @@
id: graphql-get-method
info:
name: GraphQL CSRF / GET method
author: Dolev Farhi
severity: info
description: |
Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
reference:
- https://graphql.org/learn/serving-over-http/#get-request
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
- https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
- https://graphql.security/
tags: graphql
requests:
- method: GET
path:
- "{{BaseURL}}/graphql?query={__typename}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"query"'
- '"data"'
- '"__typename"'
case-insensitive: true
condition: and
- type: word
part: header
words:
- "application/json"