write-ups
write-ups
Introduction
KBID 1 - Path traversal (LFI)
KBID 3 - Cross Site Scripting
KBID 3 - Cross site scripting (attribute)
KBID 3 - Cross site scripting (href)
KBID 5 - CSRF
KBID 5 - CSRF - Samesite
KBID 6 - XXE
KBID 13 - File upload
KBID 20 - Clickjacking
KBID 29 - Brute force login
KBID 39 - HttpOnly session hijacking XSS
KBID 44 - Authorisation missing
KBID 45 - Exposed docker daemon
KBID 46 - SQLI (Union)
KBID 67 - Open Redirect Hard
KBID 112 - CORS exploitation
KBID 95 - Formula Injection
KBID 147 - parameter binding attack
KBID 156 - SQLI (Like)
KBID 156 - SQLI (Blind)
KBID 173 - Local File Inclusion
KBID 173 - Local File Inclusion-2
KBID 173 - Local File Inclusion-3
KBID 173 - Remote File Inclusion
KBID 178 - Content-Security-Policy
KBID 250 - Session Puzzling
KBID 262 - Server Side Request Forgery
KBID 266 - Tabnabbing
KBID 267 - SSTI
KBID 268 - Insecure direct object references
KBID 271 - Deserialisation Yaml
KBID 285 - GraphQL DOS
KBID 285 - GraphQL IDOR
KBID 285 - GraphQL Injections
KBID 285 - GraphQL Introspection
KBID 285 - GraphQL Mutations
KBID 7006 - JWT Null
KBID 7006 - JWT Secret
KBID XXX - Deserialisation Pickle
KBID XXX - Race Condition
KBID XXX - DoS Regex
KBID XXX - Command Injection 1
KBID XXX - Command Injection 2
KBID XXX - Information Leakeage in Comments
KBID XXX - Information Leakeage in Metadata
KBID XXX - Auth-bypass-1
KBID XXX - Auth-bypass-2
KBID XXX - Blind command injection
KBID XXX - XSSI (include files from untrusted sources)
template
Powered by GitBook

KBID 285 - GraphQL Mutations

Running the app

$ sudo docker pull blabla1337/owasp-skf-lab:graphql-mutations
​
```text
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:graphql-mutations

Or alternatively build yourself!

docker build . -t graphql/mutations && docker run -ti -p 5000:5000 graphql/mutations

The docker should be up in no time and we should now be able to browse the application on http://0.0.0.0:5000/

Now that the app is running let's go hacking!

Running the app Python3

First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:

$ pip3 install -r requirements.txt
$ python3 <labname>

Now that the app is running let's go hacking!

Docker Image and write-up thanks to defev!

Reconnaissance

The application implements a very basic mutation to create a new post on the blog. The mutation used is the following

mutation {
  createPost(input: {body: "' -- ", title: "test_title", authorId: 2}) {
    post {
      body
      authorId
      title
    }
  }
}

If we look at the code we have a class CreatePost that will implement our logic to create a post.

class CreatePost(graphene.Mutation):
    """Mutation to create a post."""
    post = graphene.Field(lambda: PostObject, description="Post created by this mutation.")
​
    class Arguments:
​
        input = CreatePostInput(required=True)
​
    def mutate(self, info, input):
​
        post = Post(**input)
        db.session.add(post)
        db.session.commit()
​
        return CreatePost(post=post)

The method mutate will just get the new Post object and insert an instance in the database.

Exploit

What can you exploit? ;)

Previous
KBID 285 - GraphQL Introspection
Next
KBID 7006 - JWT Null
Last updated 3 months ago
Edit on GitHub
Contents
Running the app
Running the app Python3
Reconnaissance
Exploit