From d582f6923ea34059d258322121964f873750be1c Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 21 Jul 2025 08:37:38 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/pe... --- .../pentesting-web/graphql.md | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md index e601d2249..7a7e4268e 100644 --- a/src/network-services-pentesting/pentesting-web/graphql.md +++ b/src/network-services-pentesting/pentesting-web/graphql.md @@ -600,6 +600,78 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso 'https://example.com/graphql' ``` +## Recent Vulnerabilities (2023-2025) + +> The GraphQL ecosystem evolves very quickly; during the last two years several critical issues were disclosed in the most-used server libraries. When you find a GraphQL endpoint it is therefore worth fingerprinting the engine (see **graphw00f**) and checking the running version against the vulnerabilities below. + +### CVE-2024-47614 – `async-graphql` directive-overload DoS (Rust) +* Affected: async-graphql < **7.0.10** (Rust) +* Root cause: no limit on **duplicated directives** (e.g. thousands of `@include`) which are expanded into an exponential number of execution nodes. +* Impact: a single HTTP request can exhaust CPU/RAM and crash the service. +* Fix/mitigation: upgrade ≥ 7.0.10 or call `SchemaBuilder.limit_directives()`; alternatively filter requests with a WAF rule such as `"@include.*@include.*@include"`. + +```graphql +# PoC – repeat @include X times +query overload { + __typename @include(if:true) @include(if:true) @include(if:true) +} +``` + +### CVE-2024-40094 – `graphql-java` ENF depth/complexity bypass +* Affected: graphql-java < 19.11, 20.0-20.8, 21.0-21.4 +* Root cause: **ExecutableNormalizedFields** were not considered by `MaxQueryDepth` / `MaxQueryComplexity` instrumentation. Recursive fragments therefore bypassed all limits. +* Impact: unauthenticated DoS against Java stacks that embed graphql-java (Spring Boot, Netflix DGS, Atlassian products…). + +```graphql +fragment A on Query { ...B } +fragment B on Query { ...A } +query { ...A } +``` + +### CVE-2023-23684 – WPGraphQL SSRF to RCE chain +* Affected: WPGraphQL ≤ 1.14.5 (WordPress plugin). +* Root cause: the `createMediaItem` mutation accepted attacker-controlled **`filePath` URLs**, allowing internal network access and file writes. +* Impact: authenticated Editors/Authors could reach metadata endpoints or write PHP files for remote code execution. + +--- + +## Incremental delivery abuse: `@defer` / `@stream` +Since 2023 most major servers (Apollo 4, GraphQL-Java 20+, HotChocolate 13) implemented the **incremental delivery** directives defined by the GraphQL-over-HTTP WG. Every deferred patch is sent as a **separate chunk**, so the total response size becomes *N + 1* (envelope + patches). A query that contains thousands of tiny deferred fields therefore produces a large response while costing the attacker only one request – a classical **amplification DoS** and a way to bypass body-size WAF rules that only inspect the first chunk. WG members themselves flagged the risk. + +Example payload generating 2 000 patches: + +```graphql +query abuse { +% for i in range(0,2000): + f{{i}}: __typename @defer +% endfor +} +``` + +Mitigation: disable `@defer/@stream` in production or enforce `max_patches`, cumulative `max_bytes` and execution time. Libraries like **graphql-armor** (see below) already enforce sensible defaults. + +--- + +## Defensive middleware (2024+) + +| Project | Notes | +|---|---| +| **graphql-armor** | Node/TypeScript validation middleware published by Escape Tech. Implements plug-and-play limits for query depth, alias/field/directive counts, tokens and cost; compatible with Apollo Server, GraphQL Yoga/Envelop, Helix, etc. | + +Quick start: + +```ts +import { protect } from '@escape.tech/graphql-armor'; +import { applyMiddleware } from 'graphql-middleware'; + +const protectedSchema = applyMiddleware(schema, ...protect()); +``` + +`graphql-armor` will now block overly deep, complex or directive-heavy queries, protecting against the CVEs above. + +--- + + ## Tools ### Vulnerability scanners @@ -641,5 +713,7 @@ https://graphql-dashboard.herokuapp.com/ - [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md) - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696) - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql) +- [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8) +- [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor) {{#include ../../banners/hacktricks-training.md}}