From 801aecb2baa68f7b8b45f0d8ab01c97c37f7e330 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 29 Nov 2024 13:49:54 +0100 Subject: [PATCH] GraphQL + HPP --- GraphQL Injection/README.md | 50 +++++++------- HTTP Parameter Pollution/README.md | 103 ++++++++++++++++++++--------- Headless Browser/README.md | 23 +++++-- 3 files changed, 114 insertions(+), 62 deletions(-) diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index 8a23a1ecf6..5c3d2afb6d 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -7,23 +7,23 @@ - [Tools](#tools) - [Enumeration](#enumeration) - - [Common GraphQL endpoints](#common-graphql-endpoints) - - [Identify an injection point](#identify-an-injection-point) + - [Common GraphQL Endpoints](#common-graphql-endpoints) + - [Identify An Injection Point](#identify-an-injection-point) - [Enumerate Database Schema via Introspection](#enumerate-database-schema-via-introspection) - [Enumerate Database Schema via Suggestions](#enumerate-database-schema-via-suggestions) - - [Enumerate the types' definition](#enumerate-the-types-definition) - - [List path to reach a type](#list-path-to-reach-a-type) + - [Enumerate Types Definition](#enumerate-types-definition) + - [List Path To Reach A Type](#list-path-to-reach-a-type) - [Methodology](#methodology) - - [Extract data](#extract-data) - - [Extract data using edges/nodes](#extract-data-using-edgesnodes) - - [Extract data using projections](#extract-data-using-projections) - - [Use mutations](#use-mutations) + - [Extract Data](#extract-data) + - [Extract Data Using Edges/Nodes](#extract-data-using-edgesnodes) + - [Extract Data Using Projections](#extract-data-using-projections) + - [Mutations](#mutations) - [GraphQL Batching Attacks](#graphql-batching-attacks) - - [JSON list based batching](#json-list-based-batching) - - [Query name based batching](#query-name-based-batching) + - [JSON List Based Batching](#json-list-based-batching) + - [Query Name Based Batching](#query-name-based-batching) - [Injections](#injections) - - [NOSQL injection](#nosql-injection) - - [SQL injection](#sql-injection) + - [NOSQL Injection](#nosql-injection) + - [SQL Injection](#sql-injection) - [Labs](#labs) - [References](#references) @@ -46,9 +46,9 @@ ## Enumeration -### Common GraphQL endpoints +### Common GraphQL Endpoints -Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint. +Most of the time GraphQL is located at the `/graphql` or `/graphiql` endpoint. A more complete list is available at [danielmiessler/SecLists/graphql.txt](https://github.com/danielmiessler/SecLists/blob/fe2aa9e7b04b98d94432320d09b5987f39a17de8/Discovery/Web-Content/graphql.txt). ```ps1 @@ -63,7 +63,7 @@ A more complete list is available at [danielmiessler/SecLists/graphql.txt](https ``` -### Identify an injection point +### Identify An Injection Point ```js example.com/graphql?query={__schema{types{name}}} @@ -211,7 +211,7 @@ You can also try to bruteforce known keywords, field and type names using wordli -### Enumerate the types' definition +### Enumerate Types Definition Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type @@ -220,7 +220,7 @@ Enumerate the definition of interesting types using the following GraphQL query, ``` -### List path to reach a type +### List Path To Reach A Type ```php $ git clone https://gitlab.com/dee-see/graphql-path-enum @@ -246,7 +246,7 @@ Found 27 ways to reach the "Skill" node from the "Query" node: ## Methodology -### Extract data +### Extract Data ```js example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}} @@ -256,7 +256,7 @@ example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}} -### Extract data using edges/nodes +### Extract Data Using Edges/Nodes ```json { @@ -272,7 +272,7 @@ example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}} } ``` -### Extract data using projections +### Extract Data Using Projections :warning: Don’t forget to escape the " inside the **options**. @@ -281,7 +281,7 @@ example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}} ``` -### Use mutations +### Mutations Mutations work like function, you can use them to interact with the GraphQL. @@ -299,7 +299,7 @@ Common scenario: * 2FA bypassing -#### JSON list based batching +#### JSON List Based Batching > Query batching is a feature of GraphQL that allows multiple queries to be sent to the server in a single HTTP request. Instead of sending each query in a separate request, the client can send an array of queries in a single POST request to the GraphQL server. This reduces the number of HTTP requests and can improve the performance of the application. @@ -323,7 +323,7 @@ Query batching works by defining an array of operations in the request body. Eac ``` -#### Query name based batching +#### Query Name Based Batching ```json { @@ -348,7 +348,7 @@ mutation { > SQL and NoSQL Injections are still possible since GraphQL is just a layer between the client and the database. -### NOSQL injection +### NOSQL Injection Use `$regex`, `$ne` from []() inside a `search` parameter. @@ -364,7 +364,7 @@ Use `$regex`, `$ne` from []() inside a `search` parameter. ``` -### SQL injection +### SQL Injection Send a single quote `'` inside a graphql parameter to trigger the SQL injection diff --git a/HTTP Parameter Pollution/README.md b/HTTP Parameter Pollution/README.md index 1e1ec629c5..7eb9f5984d 100644 --- a/HTTP Parameter Pollution/README.md +++ b/HTTP Parameter Pollution/README.md @@ -5,50 +5,93 @@ ## Summary * [Tools](#tools) -* [How to test](#how-to-test) - * [Table of reference](#table-of-reference) +* [Methodology](#methodology) + * [Parameter Pollution Table](#parameter-pollution-table) + * [Parameter Pollution Payloads](#parameter-pollution-payloads) * [References](#references) ## Tools -No tools needed. Maybe Burp or OWASP ZAP. +* **Burp Suite**: Manually modify requests to test duplicate parameters. +* **OWASP ZAP**: Intercept and manipulate HTTP parameters. -## How to test -HPP allows an attacker to bypass pattern based/black list proxies or Web Application Firewall detection mechanisms. This can be done with or without the knowledge of the web technology behind the proxy, and can be achieved through simple trial and error. +## Methodology -``` -Example scenario. -WAF - Reads first param -Origin Service - Reads second param. In this scenario, developer trusted WAF and did not implement sanity checks. +HTTP Parameter Pollution (HPP) is a web security vulnerability where an attacker injects multiple instances of the same HTTP parameter into a request. The server's behavior when processing duplicate parameters can vary, potentially leading to unexpected or exploitable behavior. + +HPP can target two levels: + +* Client-Side HPP: Exploits JavaScript code running on the client (browser). +* Server-Side HPP: Exploits how the server processes multiple parameters with the same name. -Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.) + +**Examples**: + +```ps1 +/app?debug=false&debug=true +/transfer?amount=1&amount=5000 ``` -### Table of reference + +### Parameter Pollution Table When ?par1=a&par1=b -| Technology | Parsing Result |outcome (par1=)| -| ------------------ |--------------- |:-------------:| -| ASP.NET/IIS |All occurrences |a,b | -| ASP/IIS |All occurrences |a,b | -| PHP/Apache |Last occurrence |b | -| PHP/Zues |Last occurrence |b | -| JSP,Servlet/Tomcat |First occurrence |a | -| Perl CGI/Apache |First occurrence |a | -| Python Flask |First occurrence |a | -| Python Django |Last occurrence |b | -| Nodejs |All occurrences |a,b | -| Golang net/http - `r.URL.Query().Get("param")` |First occurrence |a | -| Golang net/http - `r.URL.Query()["param"]` |All occurrences in array |['a','b'] | -| IBM Lotus Domino |First occurrence |a | -| IBM HTTP Server |First occurrence |a | -| Perl CGI/Apache |First occurrence |a | -| mod_wsgi (Python)/Apache |First occurrence |a | -| Python/Zope |All occurrences in array |['a','b'] | -| Ruby on Rails |Last occurrence |b | +| Technology | Parsing Result | outcome (par1=) | +| ----------------------------------------------- | ------------------------ | --------------- | +| ASP.NET/IIS | All occurrences | a,b | +| ASP/IIS | All occurrences | a,b | +| Golang net/http - `r.URL.Query().Get("param")` | First occurrence | a | +| Golang net/http - `r.URL.Query()["param"]` | All occurrences in array | ['a','b'] | +| IBM HTTP Server | First occurrence | a | +| IBM Lotus Domino | First occurrence | a | +| JSP,Servlet/Tomcat | First occurrence | a | +| mod_wsgi (Python)/Apache | First occurrence | a | +| Nodejs | All occurrences | a,b | +| Perl CGI/Apache | First occurrence | a | +| Perl CGI/Apache | First occurrence | a | +| PHP/Apache | Last occurrence | b | +| PHP/Zues | Last occurrence | b | +| Python Django | Last occurrence | b | +| Python Flask | First occurrence | a | +| Python/Zope | All occurrences in array | ['a','b'] | +| Ruby on Rails | Last occurrence | b | + + +### Parameter Pollution Payloads + +* Duplicate Parameters: + ```ps1 + param=value1¶m=value2 + ``` + +* Array Injection: + ```ps1 + param[]=value1 + param[]=value1¶m[]=value2 + param[]=value1¶m=value2 + param=value1¶m[]=value2 + ``` + +* Encoded Injection: + ```ps1 + param=value1%26other=value2 + ``` + +* Nested Injection: + ```ps1 + param[key1]=value1¶m[key2]=value2 + ``` + +* JSON Injection: + ```ps1 + { + "test": "user", + "test": "admin" + } + ``` ## References diff --git a/Headless Browser/README.md b/Headless Browser/README.md index 14d155707b..2470fc4cb7 100644 --- a/Headless Browser/README.md +++ b/Headless Browser/README.md @@ -9,7 +9,7 @@ * [Headless Commands](#headless-commands) * [Local File Read](#local-file-read) -* [Debugging Port ](#debugging-port) +* [Debugging Port](#debugging-port) * [Network](#network) * [Port Scanning](#port-scanning) * [DNS Rebinding](#dns-rebinding) @@ -20,11 +20,20 @@ Example of headless browsers commands: -```ps1 -google-chrome --headless[=(new|old)] --print-to-pdf https://www.google.com -firefox --screenshot https://www.google.com -"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --disable-gpu --window-size=1280,720 --screenshot="C:\tmp\screen.png" "https://google.com" -``` +* Google Chrome + ```ps1 + google-chrome --headless[=(new|old)] --print-to-pdf https://www.google.com + ``` + +* Mozilla Firefox + ```ps1 + firefox --screenshot https://www.google.com + ``` + +* Microsoft Edge + ```ps1 + "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --headless --disable-gpu --window-size=1280,720 --screenshot="C:\tmp\screen.png" "https://google.com" + ``` ## Local File Read @@ -52,7 +61,7 @@ Target: `google-chrome-stable --headless[=(new|old)] --print-to-pdf https://site ``` -## Debugging Port +## Debugging Port **Target**: `google-chrome-stable --headless=new --remote-debugging-port=XXXX ./index.html`