You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-`-d "mutation { FUZZ }"` changing the initial fuzzing query may help (default `"query { FUZZ }"`
-`-H "Cookie: somecookie=something"` in case an auth cookie or header is required
**Bonus note:** Highly recommended to throw the output JSON file into [GraphQL Voyager](https://apis.guru/graphql-voyager/) to get a nice map/view of the available names, types and schema.
## 2. Convert JSON schema to .gql schema file
Here's a quick script to convert the JSON schema file into a .gql file supported by most GraphQL playground apps. Requires [NodeJS](https://nodejs.org/en/download/).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Playing with GraphQL when introspection is disabled
Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.
**TLDR:** Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref [https://youtu.be/nPB8o0cSnvM](https://youtu.be/nPB8o0cSnvM)).
## 1. Bruteforce schema without introspection
First step is using a tool called clairvoyance by [@nikitastupin](https://github.com/nikitastupin) ([https://github.com/nikitastupin/clairvoyance](https://github.com/nikitastupin/clairvoyance)). I found the main repo to lack error handling and support for additional features such as proxy.
The following fork by [@mchoji](https://github.com/mchoji) ([https://github.com/mchoji/clairvoyancex](https://github.com/mchoji/clairvoyancex)) has fixed most of these issues.
I recommend creating a compound wordlist, this can include general english words, common API objects etc. We also want to create a target specific list based on the site (as mentioned on the clairvoyance repo). Eg.
1. Grab one of the wordlists from the most common English words extracted from Google: [https://github.com/first20hours/google-10000-english](https://github.com/first20hours/google-10000-english)
2. Make a target specific list. I found the best way was to grab the following:
- JS files from the target site
- Any existing GraphQL queries and responses
- HTML source files
Put them all together and run a Regex query to grab all possible names `[[_A-Za-z][_0-9A-Za-z]*](http://spec.graphql.org/June2018/#sec-Names)`. Because we will have a lot of junk there, I recommend removing any short words with `sed -nri.bak '/^.{3,}$/p' farmed_words.txt`.
3. Put the two lists together `cat google-10000-english.txt >> farmed_words.txt`.
-`-t 20` if the site is slow to respond add a longer timeout
-`-d "mutation { FUZZ }"` changing the initial fuzzing query may help (default `"query { FUZZ }"`
-`-H "Cookie: somecookie=something"` in case an auth cookie or header is required
## 2. Convert JSON schema to .gql schema file
Here's a quick script to convert the JSON schema file into a .gql file supported by most GraphQL playground apps. Requires [NodeJS](https://nodejs.org/en/download/).
[Altair](https://altair.sirmuel.design) is a GraphQL client that helps with a lot of the query building, autocomplete and refactoring of GraphQL queries. The Chrome plugin is invaluable for testing as it can be run inline with your proxy server and side by side on your web app test.
1. Grab and install the Chrome plugin [here](https://chrome.google.com/webstore/detail/altair-graphql-client/flnheeellpciglgpaodhkhmapeljopja?hl=en)
2. Open the Altair view in Chrome
3. Chuck your GraphQL endpoint in the POST/GET text box and press `Docs`
5. The bruteforced schema will now be loaded into the Docs view and will help you navigate names and generate queries. If you hover over a Query/Mutation name or type it will let you `Add query` to your Query request pane.
**Tip:** If you get errors when sending a request saying that a field requires subfields, put your cursor on the specific field in the query and hit `Ctrl+Shift+Enter` to auto populate the type.
## Summary
Das' it. My leeched notes to help with GraphQL inspection when introspection doesn't exist. Thanks to a few people for pointing out some tools and refs ([@infosec_au](https://twitter.com/infosec_au), [@nnwakelam](https://twitter.com/nnwakelam)).
My boring Twitter [@me0wday](https://twitter.com/me0wday)
me0wday revised this gist