Merge pull request #3866 from dolevf/master

GraphQL Nuclei Templates

misconfiguration/graphql/graphql-alias-batching.yaml

@@ -0,0 +1,41 @@
+id: graphql-alias-batching
+
+info:
+  name: GraphQL Alias-based Batching
+  author: Dolev Farhi
+  severity: low
+  description: |
+    GraphQL supports aliasing of multiple sub-queries into a single queries. This allows users to request multiple objects or multiple instances of objects efficiently.
+    However, an attacker can leverage this feature to evade many security measures, including rate limit.
+  reference:
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security/
+    - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+  remediation: |
+    Limit queries aliasing in your GraphQL Engine to ensure mitigation of aliasing-based attacks.
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n nuclei1:__typename \n nuclei2:__typename \n nuclei3:__typename \n nuclei4:__typename \n nuclei5:__typename \n nuclei6:__typename \n }"}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"data":'
+          - '"nuclei1":'
+          - '"nuclei6":'
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-array-batching.yaml

@@ -0,0 +1,40 @@
+id: graphql-array-batching
+
+info:
+  name: GraphQL Array-based Batching
+  author: Dolev Farhi
+  severity: low
+  description: |
+    Some GraphQL engines support batching of multiple queries into a single request. This allows users to request multiple objects or multiple instances of objects efficiently.
+    However, an attacker can leverage this feature to evade many security measures, including Rate Limit.
+  reference:
+    - https://stackoverflow.com/questions/62421352/graphql-difference-between-using-alias-versus-multiple-query-objects-when-doin
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://graphql.security/
+  remediation: |
+    Deactivate or limit Batching in your GraphQL engine.
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        [{"query":"query {\n __typename \n }"}, {"query":"mutation { \n __typename \n }"}]
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - ':"Query"'
+          - ':"Mutations"'
+        case-insensitive: true
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-field-suggestion.yaml

@@ -0,0 +1,37 @@
+id: graphql-field-suggestion
+
+info:
+  name: GraphQL Field Suggestion Information Disclosure
+  author: Dolev Farhi
+  severity: info
+  description: |
+    If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
+    By default, GraphQL backends have a feature for fields and operations suggestions.
+    If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
+  reference:
+    - https://github.com/webonyx/graphql-php/issues/454
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security
+  tags: graphql
+
+requests:
+  - raw:
+      - |
+        POST /graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Did you mean"
+
+      - type: word
+        part: header
+        words:
+          - "application/json"

misconfiguration/graphql/graphql-get-method.yaml

@@ -0,0 +1,36 @@
+id: graphql-get-method
+
+info:
+  name: GraphQL CSRF / GET method
+  author: Dolev Farhi
+  severity: info
+  description: |
+    Cross Site Request Forgery happens when an external website gains ability to make API calls impersonating an user if he visits the website while being authenticated to your API.
+    Allowing API calls through GET requests can lead to CSRF attacks, because cookies are added automatically to GET requests by the browser.
+  reference:
+    - https://graphql.org/learn/serving-over-http/#get-request
+    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
+    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
+    - https://graphql.security/
+  tags: graphql
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/graphql?query={__typename}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"query"'
+          - '"data"'
+          - '"__typename"'
+        case-insensitive: true
+        condition: and
+
+      - type: word
+        part: header
+        words:
+          - "application/json"