Hacking GraphQL : Hacker101 CTF BugDB v1

What is GraphQL?
https://graphql.org/

Table of Contents

Introduction

GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.

GraphQL is now very popular and is used by many companies.From a Bug Hunter’s and Web Application testing point of view this is a new skill and a attack vector which should to be added to the arsenal.

In this article we will try to learn GraphQL hacking by doing a CTF and it is assumed that you have limited knowledge of the weaknesses which a default GraphQL implementation contains.

Setup and Tools

There are few resources available out on the web to learn hacking GraphQL and one such resource is the HackerOne’s CTF. Register and login and look for “BugDB v1” under “Web, GraphQL” skill.

https://ctf.hacker101.com/ctf

Start the “BugDB v1” and navigate to the challenge and you will be presented with an interface like:

GraphiQL

This is called GraphiQL — is an interactive in-browser GraphQL IDE (Interactive Development Environment) and if exposed (usually in default implementations and the dev/staging environment ) is usually at /graphiql endpoint. That’s good now what?

Introspection and Schema

GraphQL introspection enables you to query a GraphQL server for information about the underlying schema. This includes data like types, fields, queries, mutations, and even the field-level descriptions. Introspection is usually enabled by default on most of the GraphQL implementations.

But this should be disabled in production. Read this for the details on why Introspection should be disabled in Production:

https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

We can use the following query to get the whole schema:

GraphQL Visualizer

Put the query from the last section in the GraphiQL IDE and the result we get back is the whole schema of GraphQL target:

GraphiQL Introspection Full Schema Output

Now paste this output on this very useful website:

http://nathanrandal.com/graphql-visualizer/

Introspection Visualization

1 → The website URL.

2 →Is the Introspection Query, which is the same as was given in the GraphiQL IDE. This is prefilled on the website.

3 →Is the Introspection Result which needs to be copied here which is the same Output/Schema which we got from the GraphiQL IDE. After copying the output just click any where outside the box 3 to get the result.

4 →This is the Result in form of nice Visualization of the whole Schema which is much easier to understand and defines the relationships and the Queries which are supported by this GraphQL enabled target/website

Next question should be what is a GraphQL Query ?

A GraphQL operation can either be a read or a write operation. A GraphQL Query is used to read or fetch values is a simple string that a GraphQL server can parse and respond to with data in a specific format. The popular response format is JSON. You can think of a GraphQL query as a GET request.

Read more here:

https://graphql.org/learn/queries/

Run Queries and Find Flag

So from the result we got we can see the following queries are supported:

Supported Queries

The ! represents that the field is non-nullable, meaning that the GraphQL service promises to always give you a value when you query this field. In the type language, this is represented with an exclamation mark.

So lets pick this one:

allBugs(before:String, after:String, first:Int, last:Int): BugsConnection

So allBugs take 4 parameters and is of type BugsConnection

From the Introspection Visualization we can see the Further relationships also like:

  • BugsConnection is made up of fields named pageInfo and edges
  • pageInfo is made up of fields — hasNextPage , hasPreviousPage , startCursor , endcursor
  • edges is made up of an array of consisting of node and cursor fields.
  • And so on…

We can make up a query like this,giving some random parameters to the allBugs:

{
allBugs(before: "", after: "", first: 1337, last: 1337) {
pageInfo {
hasNextPage
}
edges {
node {
id
}
cursor
}
}
}

Use the Prettify option in the GraphiQL IDE to format the request, so that we can read it easily. Also the IDE gives us suggestions so that we can format our queries easily. Now lets send our query:

GraphiQL Query

We got a response. That good news as it indicates that our query is right and we are on the right track.

The “Docs” link in the Top Right corner of the GraphiQL IDE is also very useful and gives a nice documentation for the Schema.

If we use some wrong parameter in our query, there is a feature in GraphQL that it gives us suggestions on what is going wrong and what might be the correct fields and parameters to use. Although it is good during development and debugging, but it can be abused from a hackers point of view. We will discuss this in some other article.

As we now have the full Schema and we know all the Relationships, we will query all the objects using query:

{
allBugs(before: "", after: "", first: 1337, last: 1337) {
pageInfo {
hasNextPage
hasPreviousPage
startCursor
endCursor
}
edges {
node {
id
reporterId
private
reporter {
id
username
bugs(before: "", after: "", first: 1337, last: 1337) {
pageInfo {
hasNextPage
hasPreviousPage
startCursor
endCursor
}
edges {
node {
id
reporterId
text
private
reporter {
id
}
}
cursor
}
}
}
}
cursor
}
}
}

This was basically the conversion of the Visualization in to a test format with correction syntax. And the response is:

GraphiQL Advance Query

We get our Flag in the Response :)

Conclusion

So this was it, a brief introduction to GraphQL and how we can use and abuse it to get data out of it, if the implementation has no proper checks implemented.

The main thing to learn when starting out is to understand the schema and how to format queries using that.

If you liked this article then please share, clap and follow me. I would love to see your comments on how this can be improved further. Thanks!

Twitter: 0xsanz

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Choose Django Campatible Hosting Service

Framer Cheat Sheet: Classes & Modules

Dedication and Timing…

#FirstSteps: Basic Git Commands — You will use on daily or hourly basis.

My Week with ArchLinux GUI

Install Flutter on macOS with M1 chip

How to install GO on your machine (2020)

Why Software Architects Are Essential and Why You Need One?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Hacker101 CTF: Micro-CMS v1

Testing WebSockets for Vulnerabilities {Part-2} The Setup.

Exploiting IOTransfer insecure API CVE-2022–24562

A Defender’s Perspective of Sitecore XP Deserialization RCE (CVE-2021–42237)