Portswigger - GraphQL API Vulnerabilities - Lab #5 Performing CSRF exploits over GraphQL

Описание: Hello Hackers, in this video of Performing CSRF exploits over GraphQL you will see how to exploit and discover GraphQL injection basics

⚠️ Subscribe to my channel ➡️‪@popo_hack‬ ⚠️

0:00 - About the Lab
1:29 - Mapping the lab
3:27 - Convert GraphQL API to Request API
7:25 - CSRF attack

🔍 About the Lab
Lab: Performing CSRF exploits over GraphQL
Level: Paractitioner
The lab uses user management functions for this lab are powered by a GraphQL endpoint. we will convert GraphQL requets into API request request with a content-type of x-www-form-urlencoded and is therefore vulnerable to cross-site request forgery (CSRF) attacks. Will see how to create CSRF attack using HTML file and send it to the target

⚠️ Recommendation
It recommends that you install the InQL extension before attempting this lab to make it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.Y ou can watch my previous video to know how to use this extension ➡️    • Portswigger - GraphQL API Vulnerabilities ...   ✅

✅ What to do ?
1. Go to "My account" and connect as Wiener user

2. Interpect the update email request, note that uese GraphQL endpoint.

3. Change content type from "application/json" to "application/x-www-form-urlencoded"

4. Mody the body json into the URL format, send the request and check it works fine

5. If you are using Por edition than click right and go to "engagement tools" than "Genrate CSRF PoC", else if you use Community edition, go to your code editor, and right you HTML code (see the code in video)

6. Copy the HTML and go to "GO to exploit server" and send it to the target

Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋

#WebSecurityAcademy #portswigger #GraphQL #vulnerability