GraphQL API 安全攻防指南<\/h1>

0x00 GraphQL 基础概念<\/h2>

GraphQL 简介<\/h3>
GraphQL 是由 Facebook 研发的 API 查询语言，旨在提高客户端和服务器之间的通信效率。与 REST API 相比，GraphQL 允许客户端明确指定其所需的数据，可用于精确查询数据。<\/p>

Schema（模式）<\/h3>

Schema 是 GraphQL 中数据模型的定义，描述了客户端可以访问和操作的数据结构。主要包括三种操作类型：<\/p>

Query<\/strong>：查询操作（必选）<\/li>
Mutation<\/strong>：变更操作（可选）<\/li>

Subscription<\/strong>：订阅操作（可选）<\/li> <\/ol>
示例 Schema：<\/p>
type<\/span> Book<\/span> { <\/span><\/span> id: ID<\/span>! <\/span><\/span> title: String<\/span>! <\/span><\/span> author: String<\/span>! <\/span><\/span> year: Int<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>type<\/span> Query<\/span> { <\/span><\/span> books: [Book<\/span>!]! <\/span><\/span> bookById(id: ID<\/span>: Book<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>type<\/span> Mutation<\/span> { <\/span><\/span> addBook(id: ID<\/span>!, title: String<\/span>!, author: String<\/span>!, year: Int<\/span>): Book<\/span>! <\/span><\/span>} <\/span><\/span> <\/span><\/span>type<\/span> Subscription<\/span> { <\/span><\/span> bookAdded: Book<\/span>! <\/span><\/span>} <\/span><\/span><\/code><\/pre>数据类型（Type）<\/h3> GraphQL 类型分为：<\/p> 标量类型（Scalar）<\/strong>：String、Int、Float、Boolean、Enum、ID<\/li> 对象类型（Object）<\/strong>：自定义的复杂类型<\/li> 其他类型：Interface、Union、Enum、Input<\/li> <\/ol> 操作类型（Operations）<\/h3> Query<\/strong>：用于从服务器查询数据<\/p> query<\/span> { <\/span><\/span> bookById<\/span>(id: "1"<\/span>) { <\/span><\/span> id<\/span> <\/span><\/span> title <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> Mutation<\/strong>：用于修改服务器数据<\/p> mutation<\/span> { <\/span><\/span> addBook<\/span>(title: "1984"<\/span>, author<\/span>: "George Orwell"<\/span>) { <\/span><\/span> id<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> Subscription<\/strong>：用于实时数据推送<\/p> subscription<\/span> { <\/span><\/span> bookAdded<\/span> { <\/span><\/span> title <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 内省（Introspection）<\/h3> GraphQL 的内置功能，用于查询服务端已定义好的 Schema 信息。常用查询：<\/p> 查询所有类型<\/p> { <\/span><\/span> __schema { <\/span><\/span> type<\/span>s<\/span> { <\/span><\/span> name <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 查询特定类型的字段<\/p> { <\/span><\/span> __type(name: "Book"<\/span>) { <\/span><\/span> fields<\/span> { <\/span><\/span> name <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x01 GraphQL 漏洞类型<\/h2> 1. 信息泄露（Information Disclosure）<\/h3> 内省查询<\/strong>：默认开启的内省功能可能泄露敏感信息<\/li> GraphiQL 接口<\/strong>：开发接口可能暴露在 \/graphiql<\/code>、\/playground<\/code> 等路径<\/li> 错误信息<\/strong>：详细的错误信息可能泄露系统内部结构<\/li> <\/ul> 2. 拒绝服务（Denial of Service）<\/h3> 批量查询攻击<\/strong>：单次请求中包含大量查询<\/li> 深度递归查询<\/strong>：利用类型间的循环引用 query<\/span> { <\/span><\/span> pastes<\/span> { <\/span><\/span> owner { <\/span><\/span> pastes { <\/span><\/span> owner { <\/span><\/span> pastes { ...<\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 字段重复攻击<\/strong>：重复大量字段<\/li> 别名攻击<\/strong>：利用别名发送大量请求 query<\/span> { <\/span><\/span> alias1<\/span>: book<\/span>(id:1<\/span>) { title<\/span> } <\/span><\/span> alias2: book<\/span>(id:2<\/span>) { title<\/span> } <\/span><\/span> ...<\/span> <\/span><\/span> alias100: book<\/span>(id:100<\/span>) { title<\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. 注入漏洞<\/h3> SQL 注入<\/strong>：未过滤的用户输入直接拼接至数据库查询<\/li> XSS<\/strong>：未过滤的用户输入返回至前端<\/li> 日志欺骗<\/strong>：通过操作名称误导管理员 mutation<\/span> GetUser<\/span> { <\/span><\/span> updateUser(name:"admin"<\/span>, pass<\/span>:"123456"<\/span>) { id<\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 4. 授权绕过<\/h3> JWT 伪造<\/strong>：修改 JWT 中的身份信息<\/li> 接口保护绕过<\/strong>：修改 Cookie 或 Header<\/li> 查询黑名单绕过<\/strong>：通过添加操作名称或特殊字符绕过<\/li> <\/ul> 5. CSRF 攻击<\/h3> 当 GraphQL 端点支持 x-www-form-urlencoded<\/code> 格式且无 CSRF 防护时可能被利用。<\/p> 0x02 攻击方法论<\/h2> 1. 探测 GraphQL 端点<\/h3> 常见端点路径：<\/p> \/graphql \/graphiql \/playground \/v1\/graphql \/gql <\/code><\/pre> 2. 信息收集<\/h3> 内省查询<\/strong>：<\/p> query<\/span> {__schema<\/span>{query<\/span>Type<\/span>{name}mutation<\/span>Type<\/span>{name}type<\/span>s<\/span>{...<\/span>FullType}}}fragment<\/span> FullType<\/span> on<\/span> __Type{kind name fields{name type<\/span>{name<\/span>}}} <\/span><\/span><\/code><\/pre><\/li> 可视化工具<\/strong>：<\/p> 使用 graphql-voyager<\/a> 可视化 Schema<\/li> <\/ul> <\/li> 自动化工具<\/strong>：<\/p> Clairvoyance（当内省被禁用时）<\/li> <\/ul> pip install clairvoyance <\/span><\/span>clairvoyance https:\/\/target.com\/graphql -o schema.json <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. 绕过防护<\/h3> 内省查询绕过<\/strong>：<\/p> 添加特殊字符（空格、换行、注释）<\/li> 修改请求方法（GET\/POST）<\/li> 修改 Content-Type（application\/json \/ x-www-form-urlencoded）<\/li> <\/ul> <\/li> 暴力破解绕过<\/strong>：<\/p> 使用别名（Aliases）在单次请求中发送多个查询<\/li> <\/ul> query<\/span> { <\/span><\/span> user1<\/span>:user<\/span>(id:1<\/span>) { password<\/span> } <\/span><\/span> user2:user<\/span>(id:2<\/span>) { password<\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 漏洞利用<\/h3> 根据收集到的信息构造特定攻击：<\/p> 敏感数据查询<\/li> 未授权操作<\/li> 注入攻击<\/li> <\/ul> 0x03 实战案例<\/h2> 案例1：私有数据访问<\/h3> 通过内省查询获取 Schema<\/li> 可视化分析数据关系<\/li> 构造查询获取私有数据<\/li> <\/ol> 案例2：内省防护绕过<\/h3> 发现内省查询被过滤<\/li> 使用换行符绕过： query<\/span> { <\/span><\/span> __schema<\/span> <\/span><\/span> { <\/span><\/span> type<\/span>s<\/span> { name } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 案例3：暴力破解防护绕过<\/h3> 发现直接暴力破解被限制<\/li> 使用别名技术： query<\/span> { <\/span><\/span> attempt1<\/span>:login<\/span>(user:"admin"<\/span>,pass<\/span>:"123456"<\/span>) { token<\/span> } <\/span><\/span> attempt2:login<\/span>(user:"admin"<\/span>,pass<\/span>:"password"<\/span>) { token<\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x04 防御措施<\/h2> 禁用内省<\/strong>：生产环境应禁用内省功能<\/li> 查询限制<\/strong>：限制查询深度<\/li> 限制查询复杂度<\/li> 设置查询超时<\/li> <\/ul> <\/li> 输入验证<\/strong>：对所有输入进行严格验证<\/li> 权限控制<\/strong>：实施严格的权限控制<\/li> 日志监控<\/strong>：记录和监控可疑查询<\/li> 速率限制<\/strong>：防止暴力破解<\/li> <\/ol> 0x05 工具推荐<\/h2> 测试工具<\/strong>：<\/p> GraphiQL<\/li> Altair<\/li> Insomnia<\/li> <\/ul> <\/li> 安全工具<\/strong>：<\/p> Inql（BurpSuite 插件）<\/li> Clairvoyance<\/li> GraphQL Cop<\/li> <\/ul> <\/li> 可视化工具<\/strong>：<\/p> GraphQL Voyager<\/li> GraphQL Editor<\/li> <\/ul> <\/li> <\/ol> 0x06 学习资源<\/h2> 官方文档：<\/p> GraphQL 官方文档<\/a><\/li> GraphQL 中文文档<\/a><\/li> <\/ul> <\/li> 靶场环境：<\/p> DVGA<\/a><\/li> PortSwigger 实验室<\/a><\/li> Root-Me<\/a><\/li> <\/ul> <\/li> 参考资源：<\/p> OWASP GraphQL Cheat Sheet<\/a><\/li> PayloadsAllTheThings<\/a><\/li> <\/ul> <\/li> <\/ol>

GraphQL API 安全攻防指南<\/h1>

0x00 GraphQL 基础概念<\/h2>

GraphQL 简介<\/h3> GraphQL 是由 Facebook 研发的 API 查询语言，旨在提高客户端和服务器之间的通信效率。与 REST API 相比，GraphQL 允许客户端明确指定其所需的数据，可用于精确查询数据。<\/p>

0x01 GraphQL 漏洞类型<\/h2>

5. CSRF 攻击<\/h3> 当 GraphQL 端点支持 x-www-form-urlencoded<\/code> 格式且无 CSRF 防护时可能被利用。<\/p>

3. 绕过防护<\/h3> 内省查询绕过<\/strong>：<\/p>

0x03 实战案例<\/h2>

GraphQL 简介<\/h3>
GraphQL 是由 Facebook 研发的 API 查询语言，旨在提高客户端和服务器之间的通信效率。与 REST API 相比，GraphQL 允许客户端明确指定其所需的数据，可用于精确查询数据。<\/p>

5. CSRF 攻击<\/h3>
当 GraphQL 端点支持 `x-www-form-urlencoded<\/code> 格式且无 CSRF 防护时可能被利用。<\/p>`