write-ups
Search…
Introduction
KBID 1 - Path traversal (LFI)
KBID 3 - Cross Site Scripting
KBID 3 - Cross site scripting (attribute)
KBID 3 - Cross site scripting (href)
KBID 5 - CSRF
KBID 5 - CSRF - Samesite
KBID 6 - XXE
KBID 13 - File upload
KBID 20 - Clickjacking
KBID 29 - Brute force login
KBID 39 - HttpOnly session hijacking XSS
KBID 45 - Exposed docker daemon
KBID 46 - SQLI (Union)
KBID 67 - Open Redirect
KBID 67 - Open Redirect Harder
KBID 67 - Open Redirect Harder-2
KBID 95 - Formula Injection
KBID 111 - Client Side Template Injection
KBID 112 - CORS exploitation
KBID 147 - parameter binding attack
KBID 156 - SQLI (Like)
KBID 156 - SQLI (Blind)
KBID 173 - Local File Inclusion
KBID 173 - Local File Inclusion-2
KBID 173 - Local File Inclusion-3
KBID 173 - Remote File Inclusion
KBID 178 - Content-Security-Policy
KBID 250 - Session Puzzling
KBID 251 - Command Injection 1
KBID 251 - Command Injection 2
KBID 251 - Command Injection 3
KBID 251 - Blind command injection
KBID 262 - Server Side Request Forgery
KBID 266 - Tabnabbing
KBID 267 - SSTI
KBID 268 - Insecure direct object references
KBID 271 - Deserialisation Yaml
KBID 271 - Deserialisation Pickle-1
KBID 271 - Deserialisation Pickle-2
KBID 285 - GraphQL DOS
KBID 285 - GraphQL IDOR
KBID 285 - GraphQL Injections
KBID 285 - GraphQL Introspection
KBID 285 - GraphQL Mutations
KBID 7006 - JWT Null
KBID 7006 - JWT Secret
KBID XXX - Race Condition
KBID XXX - DoS Regex
KBID XXX - Information Leakeage in Comments
KBID XXX - Information Leakeage in Metadata
KBID XXX - Auth-bypass-1
KBID XXX - Auth-bypass-2
KBID XXX - Auth-bypass-3
KBID XXX - XSSI (include files from untrusted sources)
KBID XXX - TLS downgrade
KBID XXX - Client side restriction bypass harder
template
Powered By GitBook
KBID 285 - GraphQL Mutations

Running the app

1
$ sudo docker pull blabla1337/owasp-skf-lab:graphql-mutation
2
​
3
```text
4
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:graphql-mutation
Copied!
Now that the app is running let's go hacking!

Running the app Python3

First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
1
$ pip3 install -r requirements.txt
Copied!
1
$ python3 <labname>
Copied!
Now that the app is running let's go hacking!
Docker Image and write-up thanks to defev!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following
1
mutation {
2
createPost(input: {body: "' -- ", title: "test_title", authorId: 2}) {
3
post {
4
body
5
authorId
6
title
7
}
8
}
9
}
Copied!
If we look at the code we have a class CreatePost that will implement our logic to create a post.
1
class CreatePost(graphene.Mutation):
2
"""Mutation to create a post."""
3
post = graphene.Field(lambda: PostObject, description="Post created by this mutation.")
4
​
5
class Arguments:
6
​
7
input = CreatePostInput(required=True)
8
​
9
def mutate(self, info, input):
10
​
11
post = Post(**input)
12
db.session.add(post)
13
db.session.commit()
14
​
15
return CreatePost(post=post)
Copied!
The method mutate will just get the new Post object and insert an instance in the database.

Exploit

What can you exploit? ;)
Previous
KBID 285 - GraphQL Introspection
Next
KBID 7006 - JWT Null
Last modified 1yr ago
Copy link
Contents
Running the app
Running the app Python3
Reconnaissance
Exploit