Stack trace discovery

[halfluke]

Hi Dolev,

I've just found this new tool of yours and it looks pretty cool!
I've tested it on an assessment I had at work and I've found minor things that could be improved - of course it works perfectly on dvga!
I'll see if I can submit some little PRs if I find the time

Quick question: looking at info_trace_mode.py, I am not able to understand what it looks for in order to decide if trace mode is enable.
Would you mind to explain?
I tried to alter the related query to:
{"query": "query { __typenaaame }"}

and I get on dvga:
HTTP/1.1 400 BAD REQUEST
Content-Type: application/json
Content-Length: 117
Date: Fri, 19 Aug 2022 18:53:39 GMT

{"errors":[{"message":"Cannot query field "__typenaaame" on type "Query".","locations":[{"line":1,"column":9}]}]}

But it's still not flagged as an issue.
I am not sure how these lines work, to be honest:
try:
if gql_response.json().get('errors', {}).get('extensions', {}).get('tracing'):
res['result'] = True
elif gql_response.json().get('errors', {}).get('extensions', {}).get('exception', None):
res['result'] = True
elif 'stacktrace' in str(gql_response.json()).lower():
res['result'] = True
except:
pass

Thank you for another awesome tool and for dvga v2!

[dolevf]

Hi,

It's looking for specific response keys such as exception and tracing within the extensions key (where you should usually see tracing information). This could vary and be custom on different GraphQL servers but it should catch the standard ones.

e.g.

{"errors":"aaa","data":"aaa","extensions":{ "tracing":"some trace data"} }

[halfluke]

Thank you. I understand this issue is not in dvga because dvga does not return 'tracing', 'exception' or 'stacktrace', but shouldn't be the payload for this test be something like {"query": "query { __typenaaame }"} ?
At least it would trigger an error in this way.

(By the way, I have a PR ready to:

• support multiple headers repeating -H more than once (I needed this to add a bearer token AND overwrite the Accept header, coz my app wanted it to be always set to application/json and graphql-cop sends */* by default). Or another example: dvga wants Accept: text/html on the GET request to correctly identify the IDE (graphiql - [LOW] GraphQL IDE - GraphiQL Explorer/Playground Enabled (Information Leakage))
• Small increase to GET timeouts (from 5 seconds to 15), in case you want to intercept with Burp and take a look at the request
• for loop to detect Graphiql IDEs with multiple GET requests in cases like my app, where graphql was located at /xxx/graphql.
  So GET requests will be sent to /graphiql /console /playground and then to /xxx/graphiql /xxx/console /xxx/playground etc..)

[dolevf]

First: Thank you for improving this tool! I will take a look at your PR once it's up.
Second: You are making a valid point. The query currently in use will not trigger an exception because it's valid across all GraphQL APIs. So exception won't be seen if there's nothing to throw exceptions on. However, tracing on other hand is sometimes shown as part of valid/non-valid requests.

I can look into maybe splitting this to two test cases so it covers both.

thanks!

[dolevf]

#14