GraphQL notes for beginners

Here’s a GraphQL introduction 101 for bug bounty hunters compiled by @sillydadddy. This information can help you get up to speed and to get familiar with the GraphQL technology quickly. Here we go:

GraphQL is used by developers for more usability than REST. So mostly it is implemented over existing REST services like a wrapper. So sometimes developers may not configure it properly for ALL endpoints!
Most important thing for attacking GraphQL is to get the schema. For that we need to use introspection queries (it may be disabled). There are two versions of introspection queries. So don’t think the query is disabled if it’s not working – try both!
Check whether you can get hold of GraphQL consoles used by the developers, e.g.:
/graphql
/altair
/playground
etc. etc. (use a wordlist)
Try adding debugging parameter to your requests:
&debug=1
Look for previous versions, e.g.:
v1/graphql
V2/graphql
etc.
Tools:
Altair web browser plugin to run your tests
Graphql-Voyager for visual representation of schema
GraphQl raider Burp Suite plugin extension
Vulnerabilities:
IDOR (Insecure direct object references) Authorization / Access control issues Insecure mutations (data modifications) in GraphQL Injections e.g.: SQL
Very useful GraphQL 101 indeed

By twitter.com/sillydadddy

X (formerly Twitter)

siLLyDaddy (@sillydadddy) on X

Son | Husband | Daddy ***🐷*** | Hacker | Offensive Security Senior Consultant | Ex Senior Software Developer | OSCP | eWPTX | CRTP | OCJP Views are my own !

300T dengan 5k perbedaan yg sangat jauh

www.paganella-logistics.com/Proof.txt

Sell WP+Shell
DA 26 PA 29 TB 1k QB 241
Channel BhinnekaSec.t.me | AGENTZSECURITY.t
Me
Contact : AgentSecAdmin.t.me | God7Society.t.me

URL: http://mv-digital.net
METHOD: /.envphpinfo.php/public/.env/dev/.env/app/.env/staging/.env/backend/.env/static/.env.example/_profiler/phpinfo/phpinfo/laravel/core/.env
MAILHOST: 'smtp.mailtrap.io'
MAILPORT: '2525'
MAILUSER: ''
MAILPASS: ''
MAILFROM:
FROMNAME:

URL: http://rsbudikemuliaan.id
METHOD: /.envphpinfo.php/public/.env/dev/.env/app/.env/staging/.env/backend/.env/static/.env.example/_profiler/phpinfo/phpinfo/laravel/core/.env
MAILHOST: mail.budikemuliaan.org
MAILPORT: 587
MAILUSER: [email protected]
MAILPASS: KmF-Vj38.SO@LEB4RR
MAILFROM: [email protected]
FROMNAME: "${APP_NAME}"

URL: http://rajawalimas.com
METHOD: debug
MAILHOST: smtp.gmail.com
MAILPORT: 587
MAILUSER: [email protected]
MAILPASS: He110255$
MAILFROM:
FROMNAME:

## Juicy Subdomains
subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1 | grep --color 'api\|dev\|stg\|test\|admin\|demo\|stage\|pre\|vpn'

## from BufferOver.run
curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u

## from Riddler.io

curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]).([\w]).([A-z]))\w+" | sort -u

## from RedHunt Labs Recon API
curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=<target.com>&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r

## from nmap
nmap --script hostmap-crtsh.nse target.com

## from CertSpotter
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]).([\w]).([A-z]))\w+" | sort -u

## from Archive
curl -s "http://web.archive.org/cdx/search/cdx?url=*.target.com/*&output=text&fl=original&collapse=urlkey" | sed -e 's_https://__' -e "s/\/.//" | sort -u

## from JLDC
curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https):\/\/)?(([\w.-]).([\w]).([A-z]))\w+" | sort -u

## from crt.sh
curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/*.//g' | sort -u

## from ThreatMiner
curl -s "https://api.threatminer.org/v2/domain.php?q=target.com&rt=5" | jq -r '.results[]' |grep -o "\w.*target.com" | sort -u

## from Anubis
curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com"

## from ThreatCrowd
curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com"

## from HackerTarget
curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

## from AlienVault
curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": "[^"]' | sed 's/"hostname": "//' | sort -u

## from Censys
censys subdomains target.com

## from subdomain center
curl "https://api.subdomain.center/?domain=target.com" | jq -r '.[]' | sort -u