Skip to content

Research Update Enhanced src/network-services-pentesting/pen... #1162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+74 −0
Open

Research Update Enhanced src/network-services-pentesting/pen... #1162

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions src/network-services-pentesting/pentesting-web/graphql.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,6 +600,78 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
'https://example.com/graphql'
```

## Recent Vulnerabilities (2023-2025)

> The GraphQL ecosystem evolves very quickly; during the last two years several critical issues were disclosed in the most-used server libraries. When you find a GraphQL endpoint it is therefore worth fingerprinting the engine (see **graphw00f**) and checking the running version against the vulnerabilities below.

### CVE-2024-47614 – `async-graphql` directive-overload DoS (Rust)
* Affected: async-graphql < **7.0.10** (Rust)
* Root cause: no limit on **duplicated directives** (e.g. thousands of `@include`) which are expanded into an exponential number of execution nodes.
* Impact: a single HTTP request can exhaust CPU/RAM and crash the service.
* Fix/mitigation: upgrade ≥ 7.0.10 or call `SchemaBuilder.limit_directives()`; alternatively filter requests with a WAF rule such as `"@include.*@include.*@include"`.

```graphql
# PoC – repeat @include X times
query overload {
__typename @include(if:true) @include(if:true) @include(if:true)
}
```

### CVE-2024-40094 – `graphql-java` ENF depth/complexity bypass
* Affected: graphql-java < 19.11, 20.0-20.8, 21.0-21.4
* Root cause: **ExecutableNormalizedFields** were not considered by `MaxQueryDepth` / `MaxQueryComplexity` instrumentation. Recursive fragments therefore bypassed all limits.
* Impact: unauthenticated DoS against Java stacks that embed graphql-java (Spring Boot, Netflix DGS, Atlassian products…).

```graphql
fragment A on Query { ...B }
fragment B on Query { ...A }
query { ...A }
```

### CVE-2023-23684 – WPGraphQL SSRF to RCE chain
* Affected: WPGraphQL ≤ 1.14.5 (WordPress plugin).
* Root cause: the `createMediaItem` mutation accepted attacker-controlled **`filePath` URLs**, allowing internal network access and file writes.
* Impact: authenticated Editors/Authors could reach metadata endpoints or write PHP files for remote code execution.

---

## Incremental delivery abuse: `@defer` / `@stream`
Since 2023 most major servers (Apollo 4, GraphQL-Java 20+, HotChocolate 13) implemented the **incremental delivery** directives defined by the GraphQL-over-HTTP WG. Every deferred patch is sent as a **separate chunk**, so the total response size becomes *N + 1* (envelope + patches). A query that contains thousands of tiny deferred fields therefore produces a large response while costing the attacker only one request – a classical **amplification DoS** and a way to bypass body-size WAF rules that only inspect the first chunk. WG members themselves flagged the risk.

Example payload generating 2 000 patches:

```graphql
query abuse {
% for i in range(0,2000):
f{{i}}: __typename @defer
% endfor
}
```

Mitigation: disable `@defer/@stream` in production or enforce `max_patches`, cumulative `max_bytes` and execution time. Libraries like **graphql-armor** (see below) already enforce sensible defaults.

---

## Defensive middleware (2024+)

| Project | Notes |
|---|---|
| **graphql-armor** | Node/TypeScript validation middleware published by Escape Tech. Implements plug-and-play limits for query depth, alias/field/directive counts, tokens and cost; compatible with Apollo Server, GraphQL Yoga/Envelop, Helix, etc. |

Quick start:

```ts
import { protect } from '@escape.tech/graphql-armor';
import { applyMiddleware } from 'graphql-middleware';

const protectedSchema = applyMiddleware(schema, ...protect());
```

`graphql-armor` will now block overly deep, complex or directive-heavy queries, protecting against the CVEs above.

---


## Tools

### Vulnerability scanners
Expand Down Expand Up @@ -641,5 +713,7 @@ https://graphql-dashboard.herokuapp.com/
- [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/README.md)
- [**https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696**](https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696)
- [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
- [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8)
- [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor)

{{#include ../../banners/hacktricks-training.md}}