Geekly Articles each Day
📜 ⬆️ ⬇️

GraphQL Voyager as a tool for finding vulnerabilities



Currently, more and more companies are starting to use GraphQL . This is a relatively new technology (to be more precise, it is a query language), which is designed to solve existing REST problems.

If you are not familiar with GraphQL , then I recommend starting with resources:
')

In this article I want to share one of the vulnerability search tools in the GraphQL API. If you were looking for vulnerabilities in the GraphQL API, you probably encountered the following problems:


In solving these problems, GraphQL Voyager , which visualizes the GraphQL schema, is a good helper. Visualization greatly facilitates the understanding of the GraphQL API and helps to quickly find vulnerabilities.

Why use GraphQL Voyager?


Before looking for vulnerabilities, we want to understand what data can be obtained and what operations to perform using the GraphQL API. As a rule, there will be no documentation page, because GraphQL contains documentation inside it. You can get the documentation using a special request that returns a GraphQL schema that contains all the public information about the GraphQL API (how to do it further down the text).

Most often, the schema is a huge JSON, and it is very difficult to understand the API just by reading it. Another thing is the visual presentation of the same JSON:


JSON vs IMAGE

How to use GraphQL Voyager?


First of all you need to find the URL where the GraphQL API is located. This can be done in several ways:

  1. View requests from the client (browser, mobile application).
  2. Browse through standard URLs for GraphQL. For example: / graphql, / api / graphql, ... (more URLs can be found here https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e ).
  3. Find mention in documentation ( https://developer.github.com/v4/ ) or news ( https://medium.com/paypal-engineering/graphql-a-success-story-for-paypal-checkout-3482f724fb53 ).

Having found the URL for GraphQL API-shki, you can proceed to use GraphQL Voyager. It is quite simple. For example, you can visualize SWAPI GraphQL in three steps:

Step 1. Copy the introspection query (the query that returns the schema):

  1. Go to https://apis.guru/graphql-voyager/ .
  2. Click "Custom Schema".
  3. Click "Copy Introspection Query".

Step 2. Execute an introspection query:

  1. Go to https://graphql.imtqy.com/swapi-graphql .
  2. Paste the introspection query into the query (left side of the page).
  3. Send request.

Step 3. Copy the resulting scheme (right side of the page) and paste it into Voyager.

Note : specific steps may vary from one API to another, since queries in GraphQL can be implemented in different ways.

After that, you will have an intuitive interface, containing: a graph with objects, their fields and connections between objects.


Now it is much clearer

Do not be alarmed if you have a huge scheme. In GraphQL API there can be a lot of functionality, as well as the REST API, so, despite the convenient presentation, it will still take time to learn all the details.

Conclusion


GraphQL Voyager is an indispensable tool when testing the GraphQL API. With it, you can see the full picture and figure out how to use the GraphQL API.

You can make Voyager even better if you add the ability to compare two schemes. The idea is to track changes in GraphQL and visualize them when changes occur. This will help to quickly find out about the new functionality or about the modification of the old functionality.

I created a github ticket for this feature . You can assist in the development, for example, in the following ways:

  1. (easy option) Vote for the feature. This will raise the priority of its development.
  2. (hard version) Write the code yourself, because GraphQL Voyager is open source .

Source: https://habr.com/ru/post/448354/

More articles:


All Articles