diff --git a/pentesting/pentesting-web/graphql.md b/pentesting/pentesting-web/graphql.md index 2163fc59..db2c76f8 100644 --- a/pentesting/pentesting-web/graphql.md +++ b/pentesting/pentesting-web/graphql.md @@ -70,7 +70,7 @@ However, in this example if you try to do so you get this **error**: ![](../../.gitbook/assets/image%20%2833%29.png) Looks like somehow it will search using the "_**uid**_" argument of type _**Int**_. -Anyway, we already knew that, in the [Basic Enumeration]() section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}` +Anyway, we already knew that, in the [Basic Enumeration](graphql.md#basic-enumeration) section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}` If you read the image provided when I run that query you will see that "_**user**_" had the **arg** "_**uid**_" of type _Int_. @@ -91,6 +91,58 @@ If you can search by a string type, like: `query={theusers(description: ""){user GraphQL is a relatively new technology that is starting to gain some traction among startups and large corporations. Other than missing authentication by default graphQL endpoints can be vulnerable to other bugs such as IDOR. +### Mutations + +**Mutations are used to make changes in the server-side.** + +For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**. + +A mutation to **create new** movies inside the database can be like the following one \(in this example the mutation is called `addMovie`\): + +```javascript +mutation { + addMovie(name: "Jumanji: The Next Level", rating: "6.8/10", releaseYear: 2019) { + movies { + name + rating + } + } +} +``` + +**Note how both the values and type of data are indicated in the query.** + +There may also be also a **mutation** to **create** **persons** \(called `addPerson` in this example\) with friends and files \(note that the friends and films have to exist before creating a person related to them\): + +```javascript +mutation { + addPerson(name: "James Yoe", email: "jy@example.com", friends: [{name: "John Doe"}, {email: "jd@example.com"}], subscribedMovies: [{name: "Rocky"}, {name: "Interstellar"}, {name: "Harry Potter and the Sorcerer's Stone"}]) { + person { + name + email + friends { + edges { + node { + name + email + } + } + } + subscribedMovies { + edges { + node { + name + rating + releaseYear + } + } + } + } + } +} + +``` + ### Batching brute-force in 1 API request This information was take from [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/). @@ -100,7 +152,9 @@ Below you can find the simplest demonstration of an application authentication r ![](../../.gitbook/assets/image%20%28245%29.png) - As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token. + + +As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token. ![](../../.gitbook/assets/image%20%28119%29.png)