🔮
P4n1cBook
  • 🏴‍☠️Welcome!
    • 🔮P4n1cBook
    • 🚨Licence and Disclaimer
    • ⚡About Author
    • 📚Bookmarks
  • Fundamentals
    • Basic Commands
      • Linux
      • Git
    • 🌐Network Protocols
      • ICMP
      • SSH
      • Telnet
      • DNS
      • FTP
      • HTTP/HTTPS
      • SMB
      • SNMP
      • SMTP
      • NFS
      • IPP
      • WinRM
      • LLMNR
    • Databases
      • MySQL
      • NoSQL
    • Web APIs
      • GraphQL
    • Shells/TTYs
    • 💾Regex
    • Dorks
    • Python Essentials
    • Cryptography
    • Reverse Engineering
    • Tools
      • curl
      • Netcat
      • tcpdump
      • Nmap
      • ffuf
      • Gobuster
      • feroxbuster
      • SQLmap
      • 🦈Wireshark
      • Metasploit
      • GoWitness
      • Crunch
      • NetExec
  • Web Exploitation
    • Recon
    • Main Techniques
      • Session Hijacking
      • SSRF
      • Eval Injection
      • Template Manipulation
      • Path Traversal
      • Prototype Pollution
      • XXE
      • Deserialization
      • Log Poisoning
      • Command Injection
      • SQLi
      • Arbitrary File Upload
      • SSTI
      • LFI
      • XSS
    • Web Servers
      • Apache
      • Nginx
    • Web Services
      • HashiCorp Vault
      • Laravel
      • Express
      • Magento
      • Tiny File Manager
      • Joomla
      • CMS Made Simple
      • Werkzeug
      • 🌵Cacti
      • Tomcat
      • Zabbix
      • OpenNetAdmin
      • Wordpress
      • Java-based web application
        • Struts
        • .WAR
        • JDWP
      • ImageMagick
  • Cloud Exploitation
    • Kubernetes
  • Post Exploitation
    • File Transfer
    • Credential Dumping
      • Thunderbird
    • Pivoting/Lateral Movement
    • Persistence
    • Linux Privilege Escalation
      • Hijacks
      • Jailbreaks
      • Binary Exploitation - Linux
      • Kernel Exploits
      • Buffer Overflow - Linux
      • Escaping Docker
  • Wireless Exploitation
    • NFC
Powered by GitBook
On this page
Edit on GitHub
  1. Fundamentals
  2. Web APIs

GraphQL

Data query and manipulation language for APIs

  • Uses HTTP/HTTPS, typically over POST requests.

  • JSON-based queries and responses.

  • Typically uses a single endpoint for all operations.

  • Apollo Server commonly uses port 4000 as its default when started without configuration.

  • Express-based GraphQL servers frequently use port 3000, simply because that's the default for many Express setups.

  • Introspection allows clients to query the API schema for available operations and data types.

Fuzzing Tips

  1. Test Query Depth and Complexity: Check server limits on nested or complex queries to prevent performance issues.

  2. Validate Input Types and Arguments: Test inputs with invalid data to identify validation weaknesses.

  3. Examine Query Aliasing and Batching: Test for data leaks via aliased queries and batched requests.

  4. Check for Introspection Misuse: Ensure introspection doesn't expose sensitive or unnecessary schema details.

  5. Assess Authorization Controls: Confirm proper enforcement of access controls for queries and operations.

  6. Evaluate Rate Limiting: Ensure the API handles excessive or malicious requests effectively.

  7. Fuzz Mutations: Test for security and validation flaws in mutation operations.

Introspection Queries

Query All types in the Schema
?query={__schema{types{name}}}

  • Queries all fields defined under the Query type:

?query={__type(name:"Query"){fields{name,description}}}

  • Fetches the fields of the User type:

?query={__type(name:"User"){fields{name,type{name,kind},description}}}

  • Fetches details about args for each field of the User type:

?query={__type(name:"User"){fields{name,type{name,kind},description,args{name,type{name,kind}}}}}

Data Queries

  • Queries the actual user object for its username and password fields.

?query=query{user{username,password}}

curl

curl -X POST -H "Content-Type: application/json" -d '{"query":"YOUR_QUERY_HERE"}' http:///graphql
PreviousWeb APIsNextShells/TTYs

Last updated 19 days ago