Hello Graphers,
I'm trying to detect the Authorization layer in the DVGA app by finding SCHEMA DIRECTIVES with this introspection query. But I seem to only receive some short general description response. Which doesn't give me any hints on what directives exist in DVGA such as @auth, @authorize, @authorization, @authz, and others.

What data response should I expect to see? When running this introspection query on the DVGA app.

Listing 7-8

query {
  __schema {
    directives {
      name
      args {
        name
      }
    }
  }
}

Hello,

I have run into some issues while following the book on Chapter 2 for installing InQL. I have follow the steps (below) that are provided on the book. However, once i cloned i repo, i realized that the setup.py is under a python direction so i need to CD into that. Then, once i run the following command sudo python3 setup.py install i got some errors about that do not use directly setup.py and when command completes and when i try to see if InQL is install i get an error that it does not exists. I have look into the README of the repo and i do not see anything to install locally on the termimal, unless i miss this. On the other end, i have found a pip package called pip install inql. I wonder if this is install process was previously working or if there other ways around that we can follow the book as the book states that we will be using InQL later in the book. I did not know where else to post this Q&A. I am going through the book in the oreilly platform

Let’s install InQL. Open the terminal and enter the following commands:

# cd ~
# git clone https://github.com/doyensec/inql.git
# cd inql
# sudo python3 setup.py install

404 Not Found

can you pless lab download url or any download link for os pless

Printed edition

# cat config.py

HEADERS = {"Authorization": "Bearer mytoken"}
COOKIES = {"session:"session-secret"}

Typo fix

# cat config.py

HEADERS = {"Authorization": "Bearer mytoken"}
COOKIES = {"session": "session-secret"}

Hi Dolev Farhi & Nick Aleks, Great book!

I made the mistake of purchasing your book directly from Apple iTunes instead of from NoStarch website. So I don't have the PDF version of the book. : (

Could you guys in your Errata page also write the page number for iPad horizontal or vertical mode?

For example Listing 4-14 you have written page 83. But iPad horizontal mode it is page 85 and vertical mode is page 103.
So when you mention Errata at page 112 without any Listing numbers I can't pinpoint the text directly on my iPad.

Best Regards

Hi,

On chapter 8 page 209 Listing 8-5, I can't make the example commix command work against the DVGA webapp. I'm not getting the same CLI questions when running commix compared to the book's example in Listing 8-5. I'm wondering which version of commix did you guys use for the book?

My Kali Linux apt install used commix v3.7. When I uninstalled commix from apt and instead installed commix from their git repo. I had installed commix v3.8-dev#44. But both versions still gave me issues when trying to perform the book's Listing 8-5 CLI example.

I don't understand what I'm doing wrong, did I mistype some characters, or did commix's latest versions break this example command?

# Trial 1
$ sudo commix --url="http://127.0.0.1:5013/graphql" --data='{"query":"query{systemDebug(arg:\"test\")}"}' -p arg

# Trial 2
$ sudo commix --url="http://localhost:5013/graphql" --data='{"query":"query{systemDebug(arg:\"test\")}"}' -p arg

# Trial 3
$ sudo commix --url="http://127.0.0.1:5013/graphql" --data='{"query":"query{systemDebug(arg:\"test \")}"}' -p arg --level=2

# Trial 4
$ python3 commix.py --url="http://127.0.0.1:5013/graphql" --data='{"query":"query{systemDebug(arg:\"test\")}"}' -p arg


# ERROR for all these tests, commix says that it didn't find any injection vulnerabilities with the arg entry point.

Hi Bro,

Before reading this tool update, I cloned the InQL repo and executed the command, but I got an error. Later, I found there was no setup.py file in the InQL folder. I then went to the Python folder, ran the command, and it installed InQL, but I still couldn't access it. After that, I saw your note in README.md, so I downloaded the v4.0.7 source code zip file, extracted it, and installed it. Now I can use InQL, although I'm getting a warning like this:

/usr/local/bin/inql:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('inql==4.0.7', 'inql')
usage: inql [-h] [-t TARGET] [-f SCHEMA_JSON_FILE] [-k KEY] [-p PROXY]
            [--header HEADERS HEADERS] [-d] [--no-generate-html]
            [--no-generate-schema] [--no-generate-queries]
            [--generate-cycles] [--cycles-timeout CYCLES_TIMEOUT]
            [--cycles-streaming] [--generate-tsv] [--insecure]
            [-o OUTPUT_DIRECTORY]

InQL Scanner

Is this normal, and why are we not using the latest version of InQL?

Thank you, Bro.

Hello Graphers!

I'm performing recon on a public BBP target that uses GraphQL technology. I prefer not to disclose the company name publicly here on GitHub at this stage yet, perhaps in the future. So I will use a random example in its place instead. This public BBP target requires three headers to work with cURL.

# cURL random example

$ curl -X POST https://api.DOMAIN.com:666 \
-d '{"query":"{__typename}"}' \
-H "Origin: https://www.DOMAIN.com" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ey--SNIP--"

# Response
{"data":{"__typename":"Query"}}

Everything looks normal when compared to how the DVGA app responds to this cURL command but without headers. But when I try to perform the same GraphQL query in Altair with the same headers then I'm not authorized to run this query.

Is this a normal behavior on hardened production servers?

I even tried to insert all possible headers I could find from Burp Proxy tool. But still the same 401 Unauthorized response.

# Altair

query {
  __typename
}

# Response: 401 Unauthorized
{
  "data": null,
  "errors": [
    {
      "code": "not_authorized",
      "message": "Authorization Required"
    }
  ]
}