coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-03-13 16:07:57 +00:00 committed by gitbook-bot
parent 638a7817cb
commit 6c678fbbe7
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 56 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
pentesting/pentesting-web/graphql.md
View File

@ -70,7 +70,7 @@ However, in this example if you try to do so you get this **error**:
![](../../.gitbook/assets/image%20%2833%29.png)
Looks like somehow it will search using the "_**uid**_" argument of type _**Int**_.
Anyway, we already knew that, in the [Basic Enumeration]() section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
Anyway, we already knew that, in the [Basic Enumeration](graphql.md#basic-enumeration) section a query was purposed that was showing us all the needed information: `query={__schema{types{name,fields{name, args{name,description,type{name, kind, ofType{name, kind}}}}}}}`
If you read the image provided when I run that query you will see that "_**user**_" had the **arg** "_**uid**_" of type _Int_.
@ -91,6 +91,58 @@ If you can search by a string type, like: `query={theusers(description: ""){user
GraphQL is a relatively new technology that is starting to gain some traction among startups and large corporations. Other than missing authentication by default graphQL endpoints can be vulnerable to other bugs such as IDOR.
### Mutations
**Mutations are used to make changes in the server-side.**
For this example imagine a data base with **persons** identified by the email and the name and **movies** identified by the name and rating. A **person** can be **friend** with other **persons** and a person can **have movies**.
A mutation to **create new** movies inside the database can be like the following one \(in this example the mutation is called `addMovie`\):
```javascript
mutation {
addMovie(name: "Jumanji: The Next Level", rating: "6.8/10", releaseYear: 2019) {
movies {
name
rating
}
}
}
```
**Note how both the values and type of data are indicated in the query.**
There may also be also a **mutation** to **create** **persons** \(called `addPerson` in this example\) with friends and files \(note that the friends and films have to exist before creating a person related to them\):
```javascript
mutation {
addPerson(name: "James Yoe", email: "jy@example.com", friends: [{name: "John Doe"}, {email: "jd@example.com"}], subscribedMovies: [{name: "Rocky"}, {name: "Interstellar"}, {name: "Harry Potter and the Sorcerer's Stone"}]) {
person {
name
email
friends {
edges {
node {
name
email
}
}
}
subscribedMovies {
edges {
node {
name
rating
releaseYear
}
}
}
}
}
}
```
### Batching brute-force in 1 API request
This information was take from [https://lab.wallarm.com/graphql-batching-attack/](https://lab.wallarm.com/graphql-batching-attack/).
@ -100,7 +152,9 @@ Below you can find the simplest demonstration of an application authentication r
![](../../.gitbook/assets/image%20%28245%29.png)
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
As we can see from the response screenshot, the first and the third requests returned _null_ and reflected the corresponding information in the _error_ section. The **second mutation had the correct authentication** data and the response has the correct authentication session token.
![](../../.gitbook/assets/image%20%28119%29.png)