maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1162 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_graphql_20250721_082948

Browse Source 
Research Update Enhanced src/network-services-pentesting/pen...
This commit is contained in:
SirBroccoli 2025-07-23 14:02:24 +02:00 committed by GitHub
commit f4a5ca8191
1 changed files with 74 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
src/network-services-pentesting/pentesting-web/graphql.md
View File

@ -600,6 +600,78 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
'https://example.com/graphql' 'https://example.com/graphql'
``` ```
## Recent Vulnerabilities (2023-2025)
> The GraphQL ecosystem evolves very quickly; during the last two years several critical issues were disclosed in the most-used server libraries. When you find a GraphQL endpoint it is therefore worth fingerprinting the engine (see **graphw00f**) and checking the running version against the vulnerabilities below.
### CVE-2024-47614 `async-graphql` directive-overload DoS (Rust)
* Affected: async-graphql < **7.0.10** (Rust)
* Root cause: no limit on **duplicated directives** (e.g. thousands of `@include`) which are expanded into an exponential number of execution nodes.
* Impact: a single HTTP request can exhaust CPU/RAM and crash the service.
* Fix/mitigation: upgrade ≥ 7.0.10 or call `SchemaBuilder.limit_directives()`; alternatively filter requests with a WAF rule such as `"@include.*@include.*@include"`.
```graphql
# PoC repeat @include X times
query overload {
__typename @include(if:true) @include(if:true) @include(if:true)
}
```
### CVE-2024-40094 `graphql-java` ENF depth/complexity bypass
* Affected: graphql-java < 19.11, 20.0-20.8, 21.0-21.4
* Root cause: **ExecutableNormalizedFields** were not considered by `MaxQueryDepth` / `MaxQueryComplexity` instrumentation. Recursive fragments therefore bypassed all limits.
* Impact: unauthenticated DoS against Java stacks that embed graphql-java (Spring Boot, Netflix DGS, Atlassian products…).
```graphql
fragment A on Query { ...B }
fragment B on Query { ...A }
query { ...A }
```
### CVE-2023-23684 WPGraphQL SSRF to RCE chain
* Affected: WPGraphQL ≤ 1.14.5 (WordPress plugin).
* Root cause: the `createMediaItem` mutation accepted attacker-controlled **`filePath` URLs**, allowing internal network access and file writes.
* Impact: authenticated Editors/Authors could reach metadata endpoints or write PHP files for remote code execution.
---
## Incremental delivery abuse: `@defer` / `@stream`
Since 2023 most major servers (Apollo 4, GraphQL-Java 20+, HotChocolate 13) implemented the **incremental delivery** directives defined by the GraphQL-over-HTTP WG. Every deferred patch is sent as a **separate chunk**, so the total response size becomes *N + 1* (envelope + patches). A query that contains thousands of tiny deferred fields therefore produces a large response while costing the attacker only one request a classical **amplification DoS** and a way to bypass body-size WAF rules that only inspect the first chunk. WG members themselves flagged the risk.
Example payload generating 2 000 patches:
```graphql
query abuse {
% for i in range(0,2000):
f{{i}}: __typename @defer
% endfor
}
```
Mitigation: disable `@defer/@stream` in production or enforce `max_patches`, cumulative `max_bytes` and execution time. Libraries like **graphql-armor** (see below) already enforce sensible defaults.
---
## Defensive middleware (2024+)
| Project | Notes |
|---|---|
| **graphql-armor** | Node/TypeScript validation middleware published by Escape Tech. Implements plug-and-play limits for query depth, alias/field/directive counts, tokens and cost; compatible with Apollo Server, GraphQL Yoga/Envelop, Helix, etc. |
Quick start:
```ts
import { protect } from '@escape.tech/graphql-armor';
import { applyMiddleware } from 'graphql-middleware';
const protectedSchema = applyMiddleware(schema, ...protect());
```
`graphql-armor` will now block overly deep, complex or directive-heavy queries, protecting against the CVEs above.
---
## Tools ## Tools
### Vulnerability scanners ### Vulnerability scanners
@ -641,5 +713,7 @@ https://graphql-dashboard.herokuapp.com/
- [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md) - [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)
- [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696) - [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
- [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql) - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
- [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8)
- [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor)
{{#include ../../banners/hacktricks-training.md}} {{#include ../../banners/hacktricks-training.md}}