ebook img

Black Hat GraphQL: Attacking Next Generation APIs PDF

414 Pages·2023·7.715 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Black Hat GraphQL: Attacking Next Generation APIs

CONTENTS IN DETAIL TITLE PAGE COPYRIGHT ABOUT THE AUTHORS FOREWORD ACKNOWLEDGMENTS INTRODUCTION Who This Book Is For The Book’s Lab and Code Repository What’s in This Book CHAPTER 1: A PRIMER ON GRAPHQL The Basics Origins Use Cases Specification How Do Communications Work? The Schema Queries The Query Parser and Resolver Functions What Problems Does GraphQL Solve? GraphQL APIs vs. REST APIs The REST Example The GraphQL Example Other Differences Your First Query Summary CHAPTER 2: SETTING UP A GRAPHQL SECURITY LAB Taking Security Precautions Installing Kali Installing Web Clients Querying from the Command Line with cURL Querying from a GUI with Altair Setting Up a Vulnerable GraphQL Server Installing Docker Deploying the Damn Vulnerable GraphQL Application Testing DVGA Installing GraphQL Hacking Tools Burp Suite Clairvoyance InQL Graphw00f BatchQL Nmap Commix graphql-path-enum EyeWitness GraphQL Cop CrackQL Summary CHAPTER 3: THE GRAPHQL ATTACK SURFACE What Is an Attack Surface? The Language Queries, Mutations, and Subscriptions Operation Names Fields Arguments Aliases Fragments Variables Directives Data Types Objects Scalars Enums Unions Interfaces Inputs Introspection Validation and Execution Common Weaknesses Specification Rule and Implementation Weaknesses Denial of Service Information Disclosure Authentication and Authorization Flaws Injections Summary CHAPTER 4: RECONNAISSANCE Detecting GraphQL Common Endpoints Common Responses Nmap Scans The __typename Field Graphw00f Detecting GraphiQL Explorer and GraphQL Playground Scanning for Graphical Interfaces with EyeWitness Attempting a Query Using Graphical Clients Querying GraphQL by Using Introspection Visualizing Introspection with GraphQL Voyager Generating Introspection Documentation with SpectaQL Exploring Disabled Introspection Fingerprinting GraphQL Detecting Servers with Graphw00f Analyzing Results Summary CHAPTER 5: DENIAL OF SERVICE GraphQL DoS Vectors Circular Queries Circular Relationships in GraphQL Schemas How to Identify Circular Relationships Circular Query Vulnerabilities Circular Introspection Vulnerabilities Circular Fragment Vulnerabilities Field Duplication Understanding How Field Duplication Works Testing for Field Duplication Vulnerabilities Alias Overloading Abusing Aliases for Denial of Service Chaining Aliases and Circular Queries Directive Overloading Abusing Directives for Denial of Service Testing for Directive Overloading Object Limit Overriding Array-Based Query Batching Understanding How Array-Based Query Batching Works Testing for Array-Based Query Batching Chaining Circular Queries and Array-Based Query Batching Detecting Query Batching by Using BatchQL Performing a DoS Audit with GraphQL Cop Denial-of-Service Defenses in GraphQL Query Cost Analysis Query Depth Limits Alias and Array-Based Batching Limits Field Duplication Limits Limits on the Number of Returned Records Query Allow Lists Automatic Persisted Queries Timeouts Web Application Firewalls Gateway Proxies Summary CHAPTER 6: INFORMATION DISCLOSURE Identifying Information Disclosure Vectors in GraphQL Automating Schema Extraction with InQL Overcoming Disabled Introspection Detecting Disabled Introspection Exploiting Non-production Environments Exploiting the __type Meta-field Using Field Suggestions Understanding the Edit-Distance Algorithm Optimizing Field Suggestion Use Considering Security Developments Using Field Stuffing Type Stuffing in the __type Meta-field Automating Field Suggestion and Stuffing Using Clairvoyance Abusing Error Messages Exploring Excessive Error Messaging Enabling Debugging Inferring Information from Stack Traces Leaking Data by Using GET-Based Queries Summary CHAPTER 7: AUTHENTICATION AND AUTHORIZATION BYPASS ES The State of Authentication and Authorization in GraphQL In-Band vs. Out-of-Band Common Approaches Authentication Testing Detecting the Authentication Layer Brute-Forcing Passwords by Using Query Batching Brute-Forcing Passwords with CrackQL Using Allow-Listed Operation Names Forging and Leaking JWT Credentials Authorization Testing Detecting the Authorization Layer Enumerating Paths with graphql-path-enum Brute-Forcing Arguments and Fields with CrackQL Summary CHAPTER 8: INJECTION Injection Vulnerabilities in GraphQL The Blast Radius of Malicious Input The OWASP Top 10 The Injection Surface Query Arguments Field Arguments Query Directive Arguments Operation Names Input Entry Points SQL Injection Understanding the Types of SQL Injection Testing for SQLi Testing DVGA for SQLi with Burp Suite Automating SQL Injection Operating System Command Injection An Example Manual Testing in DVGA Automated Testing with Commix Code Review of a Resolver Function Cross-Site Scripting Reflected XSS Stored XSS DOM-Based XSS Testing for XSS in DVGA Summary CHAPTER 9: REQUEST FORGERY AND HIJACKING Cross-Site Request Forgery Locating State-Changing Actions Testing for POST-Based Vulnerabilities Automatically Submitting a CSRF Form Testing for GET-Based Vulnerabilities Using HTML Injection Automating Testing with BatchQL and GraphQL Cop Preventing CSRF Server-Side Request Forgery Understanding the Types of SSRF Searching for Vulnerable Operations, Fields, and Arguments Testing for SSRF Preventing SSRF Cross-Site WebSocket Hijacking Finding Subscription Operations Hijacking a Subscription Query Preventing CSWSH Summary CHAPTER 10: DISCLOSED VULNERABILITIES AND EXPLOITS Denial of Service A Large Payload (HackerOne) Regular Expressions (CS Money) A Circular Introspection Query (GitLab) Aliases for Field Duplication (Magento) Array-Based Batching for Field Duplication (WPGraphQL) Circular Fragments (Agoo) Broken Authorization Allowing Data Access to Deactivated Users (GitLab) Allowing an Unprivileged Staff Member to Modify a Customer’s Email (Shopify) Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne) Reading Private Notes (GitLab) Disclosing Payment Transaction Information (HackerOne) Information Disclosure Enumerating GraphQL Users (GitLab) Accessing the Introspection Query via WebSocket (Nuri) Injection SQL Injection in a GET Query Parameter (HackerOne) SQL Injection in an Object Argument (Apache SkyWalking) Cross-Site Scripting (GraphQL Playground) Cross-Site Request Forgery (GitLab) Summary APPENDIX A: GRAPHQL API TESTING CHECKLIST Reconnaissance Denial of Service Information Disclosure Authentication and Authorization

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.