GraphQL Voyager as a tool for finding vulnerabilities
Currently, more and more companies are starting to use GraphQL . This is a relatively new technology (to be more precise, it is a query language), which is designed to solve existing REST problems .
If you are not familiar with GraphQL , I recommend starting with the resources:
- https://www.howtographql.com/ - interactive training with assignments and breakpoints. Learning starts from scratch and ends with the development of a GraphQL application.
- https://graphql.org/learn/ and https://graphql.github.io/graphql-spec/June2018 - training in the documentation format. Suitable if you want to study a specific topic.
- [upd 04.07.19] https://ctf.hacker101.com - HackerOne did two tasks to search for vulnerabilities in GraphQL. Nice place to try out Voyager. Jobs are called BugDB v1 and BugDB v2.
In this article I want to share one of the tools for finding vulnerabilities in the GraphQL API. If you were looking for vulnerabilities in the GraphQL API, then you probably encountered such problems:
- Instead of documentation, you have a huge unreadable JSON (GraphQL schema).
- The web application uses only part of the GraphQL API, so you do not see all the data and endpoints.
A good helper in solving these problems is the GraphQL Voyager , which renders the GraphQL schema. Visualization greatly facilitates the understanding of the GraphQL API and helps to find vulnerabilities faster.
Why use GraphQL Voyager?
Before looking for vulnerabilities, we want to understand what data can be obtained and what operations can be performed using the GraphQL API. As a rule, there will be no documentation page, because GraphQL contains documentation within itself. You can get documentation using a special request that returns a GraphQL schema that contains all the public information about the GraphQL API (further on how to do this).
Most often, a schema is a huge JSON, and it is very difficult to understand the API just by reading it. Another thing is a visual representation of the same JSON:
JSON vs IMAGE
How to use GraphQL Voyager?
First of all, you need to find the URL where the GraphQL API is located. There are several ways to do this:
- View requests from the client (browser, mobile application).
- Iterate over the standard URLs for GraphQL. For example: / graphql, / api / graphql, ... (more URLs can be found here https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e ).
- Find a mention in the documentation ( https://developer.github.com/v4/ ) or the news ( https://medium.com/paypal-engineering/graphql-a-success-story-for-paypal-checkout-3482f724fb53 ).
Once you find the URL for GraphQL APIs, you can proceed to use GraphQL Voyager. It is pretty simple. For example, you can visualize SWAPI GraphQL in three steps:
Step 1. Copy the introspection query (a query that returns a schema):
- Go to https://apis.guru/graphql-voyager/ .
- Click “Custom Schema”.
- Click “Copy Introspection Query”.
Step 2. Run the introspection query:
- Go to https://graphql.github.io/swapi-graphql .
- Insert an introspection query into the query (left side of the page).
- Submit a request.
Step 3. Copy the resulting diagram (the right side of the page) and paste it into Voyager.
Note : specific steps may vary from one API to another, as Queries in GraphQL can be implemented in different ways.
After that, you will have an intuitive interface that contains: a graph with objects, their fields and relationships between objects.
Now it’s become much clearer.
Do not be alarmed if you have a huge scheme. The GraphQL API can have a lot of functionality, as well as the REST API, therefore, even despite the convenient presentation, it will still take time to study all the details.
GraphQL Voyager is an indispensable tool when testing the GraphQL API. With it, you can see the full picture and understand how to use the GraphQL API.
You can make Voyager even better if you add the ability to compare two schemes. The idea is to track changes in GraphQL and visualize them when changes occur. This will help to quickly learn about new functionality or about modifying old functionality.
I created a ticket on GitHub for this feature . You can assist in the development, for example, in the following ways:
- (easy version) Vote for feature. Thus, the priority of its development will be raised.
- (hard version) Write the code yourself, because in GraphQL Voyager open source .