{% extends 'partials/base.html' %} {% block header %} {% include 'partials/base_header.html' %} {% endblock %} {% block content %}
Table of Contents
There may be more than one way to exploit any given vulnerability, the solutions demonstrated below aim to illustrate one way of achieving successful exploitation.
Some solutions include code snippets that are written in Python and use the requests library for HTTP requests.
The first essential step in every security test is to gain a bit of insight into the technology the remote server is using. By knowing the technologies in use, you can start building up a plan how to attack the application or the underlying infrastructure.
For GraphQL, a tool called graphw00f exists. Let's explore how it can help us achieve detection and fingerprinting of GraphQL.
Detecting where GraphQL lives is pretty trivial, there are common places where you would typically see a graphql endpoint. For example, /graphql, /v1/graphql, etc.
Point graphw00f at DVGA to figure out where GraphQL lives:
$> python3 graphw00f.py -d -t http://localhost:5013/graphql
+-------------------+
| graphw00f |
+-------------------+
*** ***
** ***
** **
+--------------+ +--------------+
| Node X | | Node Y |
+--------------+ +--------------+
*** ***
** **
** **
+------------+
| Node Z |
+------------+
graphw00f - v1.0.3
The fingerprinting tool for GraphQL
Dolev Farhi (dolev@lethalbit.com)
Checking http://dvga.example.local:5013/graphql
[*] Found GraphQL at http://dvga.example.local:5013/graphql
[*] You can now try and fingerprint GraphQL using: graphw00f.py -t http://dvga.example.local:5013/graphql
graphw00f can try and fingerprint GraphQL servers in order to determine the underlying implementation. By knowing what specific engine runs GraphQL, you can map what security mechanisms you may face during an assessment.
Point graphw00f at DVGA to figure out what technology it's running.
$> python3 graphw00f.py -t http://dvga.example.local:5013/graphql -f
[*] Checking if GraphQL is available at http://dvga.example.local:5013/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (Graphene)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/graphene.md
[!] Technologies: Python
[!] Homepage: https://graphene-python.org
[*] Completed.
As you can see, DVGA runs graphene. Use the Attack Surface Matrix to see how Graphene ships GrapQL by default from a security perspective.