write-ups
Search…
KBID 285 - GraphQL Mutations
Running the app
1
$ sudo docker pull blabla1337/owasp-skf-lab:graphql-mutation
2
​
3
```text
4
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:graphql-mutation
Copied!
Now that the app is running let's go hacking!
Running the app Python3
First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
1
$ pip3 install -r requirements.txt
Copied!
1
$ python3 <labname>
Copied!
Now that the app is running let's go hacking!
Docker Image and write-up thanks to defev!
Reconnaissance
The application implements a very basic mutation to create a new post on the blog. The mutation used is the following
1
mutation {
2
createPost(input: {body: "' -- ", title: "test_title", authorId: 2}) {
3
post {
4
body
5
authorId
6
title
7
}
8
}
9
}
Copied!
If we look at the code we have a class
CreatePost that will implement our logic to create a post.1
class CreatePost(graphene.Mutation):
2
"""Mutation to create a post."""
3
post = graphene.Field(lambda: PostObject, description="Post created by this mutation.")
4
​
5
class Arguments:
6
​
7
input = CreatePostInput(required=True)
8
​
9
def mutate(self, info, input):
10
​
11
post = Post(**input)
12
db.session.add(post)
13
db.session.commit()
14
​
15
return CreatePost(post=post)
Copied!
The method mutate will just get the new Post object and insert an instance in the database.
Exploit
What can you exploit? ;)
Last modified 1yr ago
Copy link