# Java - GraphQL Introspection ## Running the app on Docker ``` $ sudo docker pull blabla1337/owasp-skf-lab:java-graphql-info-introspection ``` ``` $ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-graphql-info-introspection ``` {% hint style="success" %} Now that the app is running let's go hacking! {% endhint %} ## Reconnaissance As soon as we browse on `http://0.0.0.0:5000` we see the few posts published by 2 users ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/java/GraphQL-Introspections/1.png) ## Exploitation We want to use the introspection feature (enabled) in this case, to understand more about what queries are supported. Let' use the `GraphiQL` UI to send queries to the backend and discover what is available. Go to `http://0.0.0.0:5000/graphiql`. We can query the generic `__schema` using: ``` { __schema { types { name } } } ``` The application gives us interesting `Types`. Let's explore the `User` one. If we build another query we can ask for more information, exploring every field available. Let's send the following: ``` { __type(name: "User"){ name fields{ name } } } ``` In this case, for each field we we want to know what are the subfields and of which type. The application will answer with: ```json { "data": { "__type": { "name": "User", "fields": [ { "name": "id" }, { "name": "username" }, { "name": "password" }, { "name": "admin" } ] } } } ``` > BINGO! We have some good information here We can see that there is an interesting field `admin`, that we can use to find out who is the admin of the application. Now we just need to query all the Users. To do that, let's see if there is a query available. We can use the following syntax: ``` { __schema{ queryType{ fields{ name description } } } } ``` That will give us the `findAllUsers` query. Now we need to understand what are the fields. We can do that in different ways, using GraphiQL or doing some more introspection. In this case we use GraphiQL, sending the following query: ``` { findAllUsers{ username admin } } ``` ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/java/GraphQL-Introspections/2.png) ## Solution Implement authorization on graphql endpoint. Although authenticated users could query the information, you should not map sensitive information into the type defined into the schema. ## Additional resources {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://skf.gitbook.io/asvs-write-ups/graphql-introspection/graphql-introspections.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.