37 lines
1.7 KiB
YAML
37 lines
1.7 KiB
YAML
id: apollo-server-detect
|
|
|
|
info:
|
|
name: Apollo Server GraphQL introspection detection
|
|
author: idealphase
|
|
severity: info
|
|
description: Apollo Server is a community-maintained open-source GraphQL server. It works with many Node.js HTTP server frameworks, or can run on its own with a built-in Express server. Apollo Server works with any GraphQL schema built with GraphQL.js--or define a schema's type definitions using schema definition language (SDL).
|
|
reference: https://github.com/apollographql/apollo-server
|
|
tags: apollo,detect,graphql
|
|
|
|
requests:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/graphql"
|
|
|
|
headers:
|
|
Content-Type: application/json
|
|
|
|
body: |
|
|
{"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "Content-Type: application/json"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "GraphQL introspection is not allowed by Apollo Server"
|
|
|
|
- type: status
|
|
status:
|
|
- 400
|