1 of 4

GraphQL Mutations

Python - GraphQL Mutations

Running the app on Docker

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to create posts as another user:

Bingo! We have create a new post as another user. Let's refresh the page:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

Additional resources

NodeJS - GraphQL Mutations

Running the app on Docker

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to create posts as another user:

Bingo! We have create a new post as another user. Let's refresh the page:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

Additional resources

Java - GraphQL Mutations

Running the app on Docker

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to delete any post we want. If there is a createPost class there might be another class called deletePost, let's try:

Bingo! Post with id:4 was deleted. If we go back and refresh the application:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

Additional resources

NodeJS - GraphQL Mutations

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:js-graphql-mutations

$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-graphql-mutations

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to create posts as another user:

Bingo! We have create a new post as another user. Let's refresh the page:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

Additional resources

const mutationType = new graphql.GraphQLObjectType({
  name: "Mutation",
  fields: {
    createPost: {
      type: PostType,
      args: {
        title: {
          type: new graphql.GraphQLNonNull(graphql.GraphQLString),
        },
        body: {
          type: new graphql.GraphQLNonNull(graphql.GraphQLString),
        },
        author_id: { type: new graphql.GraphQLNonNull(graphql.GraphQLID) },
      },
      resolve: (root, { title, body, author_id }) => {
        return new Promise((resolve, reject) => {
          database.run(
            "INSERT INTO Posts (title, body, author_id) VALUES (?,?,?);",
            [title, body, author_id],
            (err) => {
              if (err) {
                reject(null);
              }
              database.get("SELECT last_insert_rowid() as id", (err, row) => {
                resolve({
                  id: row["id"],
                  title: title,
                  body: body,
                  author_id: author_id,
                });
              });
            }
          );
        });
      },
    },
  },
});

const mutationType = new graphql.GraphQLObjectType({
  name: "Mutation",
  fields: {
    createPost: {
      type: PostType,
      args: {
        title: {
          type: new graphql.GraphQLNonNull(graphql.GraphQLString),
        },
        body: {
          type: new graphql.GraphQLNonNull(graphql.GraphQLString),
        },
        author_id: { type: new graphql.GraphQLNonNull(graphql.GraphQLID) },
      },
      resolve: (root, { title, body, author_id }) => {
        return new Promise((resolve, reject) => {
          database.run(
            "INSERT INTO Posts (title, body, author_id) VALUES (?,?,?);",
            [title, body, author_id],
            (err) => {
              if (err) {
                reject(null);
              }
              database.get("SELECT last_insert_rowid() as id", (err, row) => {
                resolve({
                  id: row["id"],
                  title: title,
                  body: body,
                  author_id: author_id,
                });
              });
            }
          );
        });
      },
    },
  },
});

Python - GraphQL Mutations

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:graphql-mutation

$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:graphql-mutation

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to create posts as another user:

Bingo! We have create a new post as another user. Let's refresh the page:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

Additional resources

Java - GraphQL Mutations

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:java-graphql-mutation

$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-graphql-mutation

Now that the app is running let's go hacking!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

If we look at the code we have a class CreatePost that will implement our logic to create a post.

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

There are many ways we could exploit this, one would be to delete any post we want. If there is a createPost class there might be another class called deletePost, let's try:

Bingo! Post with id:4 was deleted. If we go back and refresh the application:

You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?

GraphQL Mutations

Python - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

NodeJS - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

Java - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

NodeJS - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

Python - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

Java - GraphQL Mutations

hashtagRunning the app on Docker

hashtagReconnaissance

hashtagExploit

hashtagAdditional resources

GraphQL Mutations

Running the app on Docker

Reconnaissance

Exploit

Additional resources

Running the app on Docker

Reconnaissance

Exploit

Additional resources

Running the app on Docker

Reconnaissance

Exploit

Additional resources

Running the app on Docker

Reconnaissance

Exploit

Additional resources

Running the app on Docker

Reconnaissance

Exploit

Additional resources

Running the app on Docker

Reconnaissance

Exploit

Additional resources