BLACK HAT GRAPHQL

Title Page
Copyright
About the Authors
Foreword
Acknowledgments
Introduction
	Who This Book Is For
	The Book’s Lab and Code Repository
	What’s in This Book
Chapter 1: A Primer on GraphQL
	The Basics
		Origins
		Use Cases
		Specification
	How Do Communications Work?
		The Schema
		Queries
		The Query Parser and Resolver Functions
	What Problems Does GraphQL Solve?
	GraphQL APIs vs. REST APIs
		The REST Example
		The GraphQL Example
		Other Differences
	Your First Query
	Summary
Chapter 2: Setting Up a GraphQL Security Lab
	Taking Security Precautions
	Installing Kali
	Installing Web Clients
		Querying from the Command Line with cURL
		Querying from a GUI with Altair
	Setting Up a Vulnerable GraphQL Server
		Installing Docker
		Deploying the Damn Vulnerable GraphQL Application
		Testing DVGA
	Installing GraphQL Hacking Tools
		Burp Suite
		Clairvoyance
		InQL
		Graphw00f
		BatchQL
		Nmap
		Commix
		graphql-path-enum
		EyeWitness
		GraphQL Cop
		CrackQL
	Summary
Chapter 3: The GraphQL Attack Surface
	What Is an Attack Surface?
	The Language
		Queries, Mutations, and Subscriptions
		Operation Names
		Fields
		Arguments
		Aliases
		Fragments
		Variables
		Directives
	Data Types
		Objects
		Scalars
		Enums
		Unions
		Interfaces
		Inputs
	Introspection
	Validation and Execution
	Common Weaknesses
		Specification Rule and Implementation Weaknesses
		Denial of Service
		Information Disclosure
		Authentication and Authorization Flaws
		Injections
	Summary
Chapter 4: Reconnaissance
	Detecting GraphQL
		Common Endpoints
		Common Responses
		Nmap Scans
		The __typename Field
		Graphw00f
	Detecting GraphiQL Explorer and GraphQL Playground
		Scanning for Graphical Interfaces with EyeWitness
		Attempting a Query Using Graphical Clients
	Querying GraphQL by Using Introspection
		Visualizing Introspection with GraphQL Voyager
		Generating Introspection Documentation with SpectaQL
		Exploring Disabled Introspection
	Fingerprinting GraphQL
		Detecting Servers with Graphw00f
		Analyzing Results
	Summary
Chapter 5: Denial of Service
	GraphQL DoS Vectors
	Circular Queries
		Circular Relationships in GraphQL Schemas
		How to Identify Circular Relationships
		Circular Query Vulnerabilities
		Circular Introspection Vulnerabilities
		Circular Fragment Vulnerabilities
	Field Duplication
		Understanding How Field Duplication Works
		Testing for Field Duplication Vulnerabilities
	Alias Overloading
		Abusing Aliases for Denial of Service
		Chaining Aliases and Circular Queries
	Directive Overloading
		Abusing Directives for Denial of Service
		Testing for Directive Overloading
	Object Limit Overriding
	Array-Based Query Batching
		Understanding How Array-Based Query Batching Works
		Testing for Array-Based Query Batching
		Chaining Circular Queries and Array-Based Query Batching
		Detecting Query Batching by Using BatchQL
	Performing a DoS Audit with GraphQL Cop
	Denial-of-Service Defenses in GraphQL
		Query Cost Analysis
		Query Depth Limits
		Alias and Array-Based Batching Limits
		Field Duplication Limits
		Limits on the Number of Returned Records
		Query Allow Lists
		Automatic Persisted Queries
		Timeouts
		Web Application Firewalls
		Gateway Proxies
	Summary
Chapter 6: Information Disclosure
	Identifying Information Disclosure Vectors in GraphQL
	Automating Schema Extraction with InQL
	Overcoming Disabled Introspection
		Detecting Disabled Introspection
		Exploiting Non-production Environments
		Exploiting the __type Meta-field
	Using Field Suggestions
		Understanding the Edit-Distance Algorithm
		Optimizing Field Suggestion Use
		Considering Security Developments
	Using Field Stuffing
	Type Stuffing in the __type Meta-field
	Automating Field Suggestion and Stuffing Using Clairvoyance
	Abusing Error Messages
		Exploring Excessive Error Messaging
		Enabling Debugging
		Inferring Information from Stack Traces
	Leaking Data by Using GET-Based Queries
	Summary
Chapter 7: Authentication and Authorization Bypasses
	The State of Authentication and Authorization in GraphQL
		In-Band vs. Out-of-Band
		Common Approaches
	Authentication Testing
		Detecting the Authentication Layer
		Brute-Forcing Passwords by Using Query Batching
		Brute-Forcing Passwords with CrackQL
		Using Allow-Listed Operation Names
		Forging and Leaking JWT Credentials
	Authorization Testing
		Detecting the Authorization Layer
		Enumerating Paths with graphql-path-enum
		Brute-Forcing Arguments and Fields with CrackQL
	Summary
Chapter 8: Injection
	Injection Vulnerabilities in GraphQL
		The Blast Radius of Malicious Input
		The OWASP Top 10
	The Injection Surface
		Query Arguments
		Field Arguments
		Query Directive Arguments
		Operation Names
	Input Entry Points
	SQL Injection
		Understanding the Types of SQL Injection
		Testing for SQLi
		Testing DVGA for SQLi with Burp Suite
		Automating SQL Injection
	Operating System Command Injection
		An Example
		Manual Testing in DVGA
		Automated Testing with Commix
		Code Review of a Resolver Function
	Cross-Site Scripting
		Reflected XSS
		Stored XSS
		DOM-Based XSS
		Testing for XSS in DVGA
	Summary
Chapter 9: Request Forgery and Hijacking
	Cross-Site Request Forgery
		Locating State-Changing Actions
		Testing for POST-Based Vulnerabilities
		Automatically Submitting a CSRF Form
		Testing for GET-Based Vulnerabilities
		Using HTML Injection
		Automating Testing with BatchQL and GraphQL Cop
		Preventing CSRF
	Server-Side Request Forgery
		Understanding the Types of SSRF
		Searching for Vulnerable Operations, Fields, and Arguments
		Testing for SSRF
		Preventing SSRF
	Cross-Site WebSocket Hijacking
		Finding Subscription Operations
		Hijacking a Subscription Query
		Preventing CSWSH
	Summary
Chapter 10: Disclosed Vulnerabilities and Exploits
	Denial of Service
		A Large Payload (HackerOne)
		Regular Expressions (CS Money)
		A Circular Introspection Query (GitLab)
		Aliases for Field Duplication (Magento)
		Array-Based Batching for Field Duplication (WPGraphQL)
		Circular Fragments (Agoo)
	Broken Authorization
		Allowing Data Access to Deactivated Users (GitLab)
		Allowing an Unprivileged Staff Member to Modify a Customer’s Email (Shopify)
		Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne)
		Reading Private Notes (GitLab)
		Disclosing Payment Transaction Information (HackerOne)
	Information Disclosure
		Enumerating GraphQL Users (GitLab)
		Accessing the Introspection Query via WebSocket (Nuri)
	Injection
		SQL Injection in a GET Query Parameter (HackerOne)
		SQL Injection in an Object Argument (Apache SkyWalking)
		Cross-Site Scripting (GraphQL Playground)
	Cross-Site Request Forgery (GitLab)
	Summary
Appendix A: GraphQL API Testing Checklist
	Reconnaissance
	Denial of Service
	Information Disclosure
	Authentication and Authorization
	Injection
	Forging Requests
	Hijacking Requests
Appendix B: GraphQL Security Resources
	Penetration Testing Tips and Tricks
	Hands-on Hacking Labs
	Security Videos
Index