Table Of ContentCONTENTS IN DETAIL
TITLE PAGE
COPYRIGHT
ABOUT THE AUTHORS
FOREWORD
ACKNOWLEDGMENTS
INTRODUCTION
Who This Book Is For
The Book’s Lab and Code Repository
What’s in This Book
CHAPTER 1: A PRIMER ON GRAPHQL
The Basics
Origins
Use Cases
Specification
How Do Communications Work?
The Schema
Queries
The Query Parser and Resolver Functions
What Problems Does GraphQL Solve?
GraphQL APIs vs. REST APIs
The REST Example
The GraphQL Example
Other Differences
Your First Query
Summary
CHAPTER 2: SETTING UP A GRAPHQL SECURITY LAB
Taking Security Precautions
Installing Kali
Installing Web Clients
Querying from the Command Line with cURL
Querying from a GUI with Altair
Setting Up a Vulnerable GraphQL Server
Installing Docker
Deploying the Damn Vulnerable GraphQL Application
Testing DVGA
Installing GraphQL Hacking Tools
Burp Suite
Clairvoyance
InQL
Graphw00f
BatchQL
Nmap
Commix
graphql-path-enum
EyeWitness
GraphQL Cop
CrackQL
Summary
CHAPTER 3: THE GRAPHQL ATTACK SURFACE
What Is an Attack Surface?
The Language
Queries, Mutations, and Subscriptions
Operation Names
Fields
Arguments
Aliases
Fragments
Variables
Directives
Data Types
Objects
Scalars
Enums
Unions
Interfaces
Inputs
Introspection
Validation and Execution
Common Weaknesses
Specification Rule and Implementation Weaknesses
Denial of Service
Information Disclosure
Authentication and Authorization Flaws
Injections
Summary
CHAPTER 4: RECONNAISSANCE
Detecting GraphQL
Common Endpoints
Common Responses
Nmap Scans
The __typename Field
Graphw00f
Detecting GraphiQL Explorer and GraphQL Playground
Scanning for Graphical Interfaces with EyeWitness
Attempting a Query Using Graphical Clients
Querying GraphQL by Using Introspection
Visualizing Introspection with GraphQL Voyager
Generating Introspection Documentation with SpectaQL
Exploring Disabled Introspection
Fingerprinting GraphQL
Detecting Servers with Graphw00f
Analyzing Results
Summary
CHAPTER 5: DENIAL OF SERVICE
GraphQL DoS Vectors
Circular Queries
Circular Relationships in GraphQL Schemas
How to Identify Circular Relationships
Circular Query Vulnerabilities
Circular Introspection Vulnerabilities
Circular Fragment Vulnerabilities
Field Duplication
Understanding How Field Duplication Works
Testing for Field Duplication Vulnerabilities
Alias Overloading
Abusing Aliases for Denial of Service
Chaining Aliases and Circular Queries
Directive Overloading
Abusing Directives for Denial of Service
Testing for Directive Overloading
Object Limit Overriding
Array-Based Query Batching
Understanding How Array-Based Query Batching Works
Testing for Array-Based Query Batching
Chaining Circular Queries and Array-Based Query Batching
Detecting Query Batching by Using BatchQL
Performing a DoS Audit with GraphQL Cop
Denial-of-Service Defenses in GraphQL
Query Cost Analysis
Query Depth Limits
Alias and Array-Based Batching Limits
Field Duplication Limits
Limits on the Number of Returned Records
Query Allow Lists
Automatic Persisted Queries
Timeouts
Web Application Firewalls
Gateway Proxies
Summary
CHAPTER 6: INFORMATION DISCLOSURE
Identifying Information Disclosure Vectors in GraphQL
Automating Schema Extraction with InQL
Overcoming Disabled Introspection
Detecting Disabled Introspection
Exploiting Non-production Environments
Exploiting the __type Meta-field
Using Field Suggestions
Understanding the Edit-Distance Algorithm
Optimizing Field Suggestion Use
Considering Security Developments
Using Field Stuffing
Type Stuffing in the __type Meta-field
Automating Field Suggestion and Stuffing Using Clairvoyance
Abusing Error Messages
Exploring Excessive Error Messaging
Enabling Debugging
Inferring Information from Stack Traces
Leaking Data by Using GET-Based Queries
Summary
CHAPTER 7: AUTHENTICATION AND AUTHORIZATION BYPASS
ES
The State of Authentication and Authorization in GraphQL
In-Band vs. Out-of-Band
Common Approaches
Authentication Testing
Detecting the Authentication Layer
Brute-Forcing Passwords by Using Query Batching
Brute-Forcing Passwords with CrackQL
Using Allow-Listed Operation Names
Forging and Leaking JWT Credentials
Authorization Testing
Detecting the Authorization Layer
Enumerating Paths with graphql-path-enum
Brute-Forcing Arguments and Fields with CrackQL
Summary
CHAPTER 8: INJECTION
Injection Vulnerabilities in GraphQL
The Blast Radius of Malicious Input
The OWASP Top 10
The Injection Surface
Query Arguments
Field Arguments
Query Directive Arguments
Operation Names
Input Entry Points
SQL Injection
Understanding the Types of SQL Injection
Testing for SQLi
Testing DVGA for SQLi with Burp Suite
Automating SQL Injection
Operating System Command Injection
An Example
Manual Testing in DVGA
Automated Testing with Commix
Code Review of a Resolver Function
Cross-Site Scripting
Reflected XSS
Stored XSS
DOM-Based XSS
Testing for XSS in DVGA
Summary
CHAPTER 9: REQUEST FORGERY AND HIJACKING
Cross-Site Request Forgery
Locating State-Changing Actions
Testing for POST-Based Vulnerabilities
Automatically Submitting a CSRF Form
Testing for GET-Based Vulnerabilities
Using HTML Injection
Automating Testing with BatchQL and GraphQL Cop
Preventing CSRF
Server-Side Request Forgery
Understanding the Types of SSRF
Searching for Vulnerable Operations, Fields, and Arguments
Testing for SSRF
Preventing SSRF
Cross-Site WebSocket Hijacking
Finding Subscription Operations
Hijacking a Subscription Query
Preventing CSWSH
Summary
CHAPTER 10: DISCLOSED VULNERABILITIES AND EXPLOITS
Denial of Service
A Large Payload (HackerOne)
Regular Expressions (CS Money)
A Circular Introspection Query (GitLab)
Aliases for Field Duplication (Magento)
Array-Based Batching for Field Duplication (WPGraphQL)
Circular Fragments (Agoo)
Broken Authorization
Allowing Data Access to Deactivated Users (GitLab)
Allowing an Unprivileged Staff Member to Modify a Customer’s Email
(Shopify)
Disclosing the Number of Allowed Hackers Through a Team Object
(HackerOne)
Reading Private Notes (GitLab)
Disclosing Payment Transaction Information (HackerOne)
Information Disclosure
Enumerating GraphQL Users (GitLab)
Accessing the Introspection Query via WebSocket (Nuri)
Injection
SQL Injection in a GET Query Parameter (HackerOne)
SQL Injection in an Object Argument (Apache SkyWalking)
Cross-Site Scripting (GraphQL Playground)
Cross-Site Request Forgery (GitLab)
Summary
APPENDIX A: GRAPHQL API TESTING CHECKLIST
Reconnaissance
Denial of Service
Information Disclosure
Authentication and Authorization
