Abusing GraphQL With SQL Injection | Bug Bountys
This course details how you can use GraphQL Introspection to find data that may not be exposed directly by an application. Once you get access to this data, you should find a query that is not called directly by the web application. This query is vulnerable to SQL Injection.
If you feel confident, you can try to do this exercise without following the course, then you can come back to the course to read some details and tips. If you want to do it by yourself, you can follow the following steps:
- Use Introspection to find a query that is not used by the application
- Find how you can trigger the SQL injection
- Use Introspection to find the name of the table hosting the key and extract the key using SQL Injection
First, you will need to look at the traffic sent to the server when accessing the projects link. You should see a query to a /graphql/ endpoint. Here, the frontend graphiql is not available, therefore you will need to forge your own POST request to get the result of the introspection query.
You can find the query to perform the Introspection in the previous GraphQL challenge: GraphQL
Using this you should find a query very similar to the one the application uses. You should be able to call it and get the result from it. Once you do, you should be able to detect the SQL injection and exploit it using UNION SELECT.
Finally, you need to look at the information exported from the Introspection query and you should see another table/object that you can query using the SQL injection.
This exercise showed you how you can use GraphQL Introspection to get access to information that is not necessarily exposed by the application, then you manage to write you own GraphQL query to get access to this data by exploiting an SQL injection in the GraphQL API. It’s very common that storage and query mechanisms offer a way to get metadata about the information available, this is always a good idea to see if there is not more data than the one exposed by the application. I hope you enjoyed learning with PentesterLab.
Differences Between GraphQL & SQL
SQL typically only queries a single database and as the name implies, GraphQL represents its schema as nodes/edges of graph versus tabular style of relational database served up via SQL. GraphQL would probably best be compared to WSDL and OData from a schema and transport point of view.