Errors with Damn Vulnerable Graphql Application

[halfluke]

with master branch:

root@kali:~/Downloads/clairvoyance# python3 -m clairvoyance -w ./google10000.txt http://127.0.0.1:5000/graphql

[WARNING][2021-03-11 22:47:33 oracle.py:57]	Unknown error message: 'Cannot query field "system" on type "Query". Did you mean "pastes", "paste", "systemUpdate" or "systemHealth"?'
[WARNING][2021-03-11 22:47:33 oracle.py:57]	Unknown error message: 'Cannot query field "systems" on type "Query". Did you mean "pastes", "systemUpdate" or "systemHealth"?'
[WARNING][2021-03-11 22:47:33 oracle.py:57]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:47:33 oracle.py:57]	Unknown error message: 'Field "node" argument "id" of type "ID!" is required but not provided.'
[WARNING][2021-03-11 22:47:36 oracle.py:57]	Unknown error message: 'Field "paste" of type "PasteObject" must have a sub selection.'
[WARNING][2021-03-11 22:47:38 oracle.py:57]	Unknown error message: 'Cannot query field "systematic" on type "Query". Did you mean "systemUpdate", "systemHealth" or "systemDiagnostics"?'
[WARNING][2021-03-11 22:47:38 oracle.py:57]	Unknown error message: 'Cannot query field "pose" on type "Query". Did you mean "node", "paste" or "pastes"?'
[WARNING][2021-03-11 22:47:38 oracle.py:293]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:47:38 oracle.py:293]	Unknown error message: 'Field "node" argument "id" of type "ID!" is required but not provided.'
[WARNING][2021-03-11 22:47:40 oracle.py:188]	Unknown error message: Field "node" of type "Node" must have a sub selection.
[WARNING][2021-03-11 22:47:41 oracle.py:188]	Unknown error message: Field "node" of type "Node" must have a sub selection.
[WARNING][2021-03-11 22:47:41 oracle.py:188]	Unknown error message: Field "node" argument "id" of type "ID!" is required but not provided.
[WARNING][2021-03-11 22:47:41 oracle.py:188]	Unknown error message: Field "node" of type "Node" must have a sub selection.
[WARNING][2021-03-11 22:47:41 oracle.py:188]	Unknown error message: Field "node" argument "id" of type "ID!" is required but not provided.
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Argument "id" has invalid value {}.
Expected type "ID", found {}.'
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Unknown argument "i" on field "node" of type "Query". Did you mean "id"?'
[WARNING][2021-03-11 22:47:41 oracle.py:293]	Unknown error message: 'Field "node" argument "id" of type "ID!" is required but not provided.'
Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/root/Downloads/clairvoyance/clairvoyance/__main__.py", line 89, in <module>
    schema = oracle.clairvoyance(
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 436, in clairvoyance
    arg_typeref = probe_arg_typeref(
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 341, in probe_arg_typeref
    typeref = probe_typeref(documents, "InputValue", config)
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 315, in probe_typeref
    raise Exception(f"Unable to get TypeRef for {documents}")
Exception: Unable to get TypeRef for ['query { node(id: 7) }', 'query { node(id: {}) }', 'query { node(i: 7) }']

Switching to latest Pull request:

root@kali:~/Downloads/clairvoyance# git branch

• main
  root@kali:~/Downloads/clairvoyance# git branch -a
• main
  remotes/origin/HEAD -> origin/main
  remotes/origin/enhancement-support-input-objects
  remotes/origin/fix-issue-9
  remotes/origin/fix_non_null_2x
  remotes/origin/improvement-retry-on-non-200
  remotes/origin/issue-1
  remotes/origin/main
  remotes/origin/rewrite-system-tests
  root@kali:~/Downloads/clairvoyance# git checkout -b enhancement-support-input-objects remotes/origin/enhancement-support-input-objects
  Branch 'enhancement-support-input-objects' set up to track remote branch 'enhancement-support-input-objects' from 'origin'.
  Switched to a new branch 'enhancement-support-input-objects'
  root@kali:~/Downloads/clairvoyance# git branch
• enhancement-support-input-objects
  main

root@kali:~/Downloads/clairvoyance# python3 -m clairvoyance -w ./google10000.txt http://127.0.0.1:5000/graphql
[WARNING][2021-03-11 22:52:34 oracle.py:57]	Unknown error message: 'Cannot query field "system" on type "Query". Did you mean "pastes", "paste", "systemUpdate" or "systemHealth"?'
[WARNING][2021-03-11 22:52:34 oracle.py:57]	Unknown error message: 'Cannot query field "systems" on type "Query". Did you mean "pastes", "systemUpdate" or "systemHealth"?'
[WARNING][2021-03-11 22:52:34 oracle.py:57]	Unknown error message: 'Field "node" of type "Node" must have a sub selection.'
[WARNING][2021-03-11 22:52:34 oracle.py:57]	Unknown error message: 'Field "node" argument "id" of type "ID!" is required but not provided.'
[WARNING][2021-03-11 22:52:38 oracle.py:57]	Unknown error message: 'Field "paste" of type "PasteObject" must have a sub selection.'
[WARNING][2021-03-11 22:52:39 oracle.py:57]	Unknown error message: 'Cannot query field "systematic" on type "Query". Did you mean "systemUpdate", "systemHealth" or "systemDiagnostics"?'
[WARNING][2021-03-11 22:52:39 oracle.py:57]	Unknown error message: 'Cannot query field "pose" on type "Query". Did you mean "node", "paste" or "pastes"?'
[WARNING][2021-03-11 22:52:39 oracle.py:228]	Unknown error (Field, typeref): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:41 oracle.py:228]	Unknown error (InputValue, name): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:41 oracle.py:228]	Unknown error (InputValue, name): Argument "public" has invalid value 7.
Expected type "Boolean", found 7.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, name): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, name): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, typeref): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, typeref): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, typeref): Argument "public" has invalid value {}.
Expected type "Boolean", found {}.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, typeref): Field "pastes" of type "[PasteObject]" must have a sub selection.
[WARNING][2021-03-11 22:52:43 oracle.py:228]	Unknown error (InputValue, typeref): Argument "public" has invalid value 7.
Expected type "Boolean", found 7.
Traceback (most recent call last):
  File "/usr/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/root/Downloads/clairvoyance/clairvoyance/__main__.py", line 91, in <module>
    schema = oracle.clairvoyance(
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 409, in clairvoyance
    arg_typeref = probe_arg_typeref(
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 316, in probe_arg_typeref
    typeref = probe_typeref(documents, "InputValue", config)
  File "/root/Downloads/clairvoyance/clairvoyance/oracle.py", line 290, in probe_typeref
    raise Exception(f"Unable to get TypeRef for {documents}")
Exception: Unable to get TypeRef for ['query { pastes(publi: 7) }', 'query { pastes(public: {}) }', 'query { pastes(public: 7) }']

[nikitastupin]

Hi @halfluke ,

Thanks for reporting this bug! 👍

From error message it looks like clairvoyance failed to parse server response properly. Anyway it needs further investigation with debugger. I'll try to look into it when I'll have time 😃

Regarding enhancement-support-input-objects branch -- it's not finished so right now it's better to use main.

[nikitastupin]

Suggestion on debugging: send one of query { node(id: 7) }, query { node(id: {}) }, query { node(i: 7) } queries and observe response. Most likely it has unexpected format and we should ignore it or parse in other way.

[d-kar]

Getting same errors:

[WARNING][2021-04-23 17:07:34 oracle.py:293]    Unknown error message in context 'InputValue': 'Unknown argument "rated" on field "navigation" of type "Query".'
[WARNING][2021-04-23 17:07:34 oracle.py:293]    Unknown error message in context 'InputValue': 'Unknown argument "rate" on field "navigation" of type "Query".'
Traceback (most recent call last):
  File "C:\Users\olegs\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Users\olegs\AppData\Local\Programs\Python\Python39\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "C:\temp\clairvoyance\clairvoyance\__main__.py", line 89, in <module>
    schema = oracle.clairvoyance(
  File "C:\temp\clairvoyance\clairvoyance\oracle.py", line 436, in clairvoyance
    arg_typeref = probe_arg_typeref(
  File "C:\temp\clairvoyance\clairvoyance\oracle.py", line 341, in probe_arg_typeref
    typeref = probe_typeref(documents, "InputValue", config)
  File "C:\temp\clairvoyance\clairvoyance\oracle.py", line 315, in probe_typeref
    raise Exception(f"Unable to get TypeRef for {documents}")
Exception: Unable to get TypeRef for ['query { navigation(rated: 7) }', 'query { navigation(rated: {}) }', 'query { navigation(rate: 7) }']

The error message from graphql looks like this:

{
    "errors": [
        {
            "message": "Field \"navigation\" of type \"[CmsNode]\" must have a selection of subfields. Did you mean \"navigation { ... }\"?",
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED",
                "type": "Middleware_Error"
            }
        },
        {
            "message": "Unknown argument \"rate\" on field \"navigation\" of type \"Query\".",
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED",
                "type": "Middleware_Error"
            }
        }
    ]
}

I feel like clairvoyance is doing something wrong here

[d-kar]

It seems like my particular server doesn't like large bucket of words and throws up on them with error that is not recognized by clairvoyance. After that it starts doing wrong stuff and quits. I changed bucket size to 256 and it works fine.

[halfluke]

how did you change the bucket size to 256, if I may ask?

[d-kar]

how did you change the bucket size to 256, if I may ask?

graphql.py line 159

[kleiton0x00]

I'm also having the same error when running the tool, however changing the bucket size to 256 didn't solve the issue for me either.
OS: Ubuntu 20.04 LTS
Python: 3.8.10

Here is the output when using the bucket size to 256

python3 -m clairvoyance -o /home/nade/Desktop/schema.json -w google-10000-english-usa.txt https://www.example.com/graphql -vv
[DEBUG][2021-08-21 11:44:25 oracle.py:419]	Root typenames are: {'queryType': None, 'mutationType': None, 'subscriptionType': None}
[DEBUG][2021-08-21 11:44:25 oracle.py:441]	__typename = Query
[DEBUG][2021-08-21 11:44:27 oracle.py:81]	Sent 256 fields, recieved 256 errors in 1.947997 seconds
[DEBUG][2021-08-21 11:44:28 oracle.py:81]	Sent 256 fields, recieved 255 errors in 0.825902 seconds
[DEBUG][2021-08-21 11:44:29 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.431477 seconds
[DEBUG][2021-08-21 11:44:29 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.526348 seconds
[DEBUG][2021-08-21 11:44:30 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.5381 seconds
[DEBUG][2021-08-21 11:44:30 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.683985 seconds
[DEBUG][2021-08-21 11:44:45 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.369622 seconds
[DEBUG][2021-08-21 11:44:45 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.513586 seconds
[DEBUG][2021-08-21 11:44:46 oracle.py:81]	Sent 256 fields, recieved 256 errors in 0.468517 seconds
[DEBUG][2021-08-21 11:44:46 oracle.py:81]	Sent 16 fields, recieved 16 errors in 0.18961 seconds
[DEBUG][2021-08-21 11:44:46 oracle.py:444]	Query.fields = {'_', 'getVariant', 'getCategoryIds', 'getVariants', 'getMemberships', 'getProduct', 'getProductIds', 'getCategory', 'calculateTax', 'version'}
[WARNING][2021-08-21 11:44:46 oracle.py:302]	Unknown error message: '_ disabled'
[DEBUG][2021-08-21 11:44:46 oracle.py:462]	Skip probe_args() for '_' of type 'Boolean'
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/nade/GraphQL pentest/clairvoyance/clairvoyance/__main__.py", line 96, in <module>
    schema = oracle.clairvoyance(
  File "/home/nade/GraphQL pentest/clairvoyance/clairvoyance/oracle.py", line 466, in clairvoyance
    schema.types[typename].fields.append(field)
KeyError: 'Query'

And here is the output when running on default ammount of bucket size (4096)

[DEBUG][2021-08-21 11:46:39 oracle.py:419]	Root typenames are: {'queryType': None, 'mutationType': None, 'subscriptionType': None}
[DEBUG][2021-08-21 11:46:52 oracle.py:441]	__typename = Query
[DEBUG][2021-08-21 11:46:59 oracle.py:81]	Sent 4096 fields, recieved 4095 errors in 6.233555 seconds
[DEBUG][2021-08-21 11:47:06 oracle.py:81]	Sent 4096 fields, recieved 4096 errors in 6.304185 seconds
[DEBUG][2021-08-21 11:47:10 oracle.py:81]	Sent 1808 fields, recieved 1808 errors in 3.456586 seconds
[DEBUG][2021-08-21 11:47:10 oracle.py:444]	Query.fields = {'getVariants', 'getVariant', 'getMemberships', 'calculateTax', 'version', 'getProductIds', 'getCategory', '_', 'getCategoryIds', 'getProduct'}
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: Unknown argument "facilities" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: There can be only one argument named "color".
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: There can be only one argument named "favorite".
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: Unknown argument "variables" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: There can be only one argument named "labor".
[WARNING][2021-08-21 11:47:17 oracle.py:194]	Unknown error message: There can be only one argument named "favorites".
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: Unknown argument "nationwide" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: Unknown argument "variation" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: Unknown argument "variations" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: Unknown argument "validation" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: Unknown argument "warranties" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:26 oracle.py:194]	Unknown error message: There can be only one argument named "harbor".
[WARNING][2021-08-21 11:47:29 oracle.py:194]	Unknown error message: Unknown argument "guarantees" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:29 oracle.py:194]	Unknown error message: Unknown argument "vacancies" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:29 oracle.py:194]	Unknown error message: Unknown argument "variance" on field "Query.getVariants". Did you mean "variantIds"?
[WARNING][2021-08-21 11:47:29 oracle.py:194]	Unknown error message: Unknown argument "varieties" on field "Query.getVariants". Did you mean "variantIds"?
[DEBUG][2021-08-21 11:47:29 oracle.py:452]	Query.getVariants.args = set()
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/nade/GraphQL pentest/clairvoyance/clairvoyance/__main__.py", line 96, in <module>
    schema = oracle.clairvoyance(
  File "/home/nade/GraphQL pentest/clairvoyance/clairvoyance/oracle.py", line 466, in clairvoyance
    schema.types[typename].fields.append(field)
KeyError: 'Query'

Edit: Tried it also in a fresh installed Kali Linux (python 3.9.2) and it also gets the same error

[nikitastupin]

Hi @kleiton0x00,

Looking at [DEBUG][2021-08-21 11:44:25 oracle.py:419] Root typenames are: {'queryType': None, 'mutationType': None, 'subscriptionType': None} line I can conclude that clairvoyance wasn't even able to fetch the root query, mutation and subscription type names. It seems like an edge case for particular endpoint and needs deeper investigation.

Have you tried it on other GraphQL endpoints?

[kleiton0x00]

Hi @kleiton0x00,

Looking at [DEBUG][2021-08-21 11:44:25 oracle.py:419] Root typenames are: {'queryType': None, 'mutationType': None, 'subscriptionType': None} line I can conclude that clairvoyance wasn't even able to fetch the root query, mutation and subscription type names. It seems like an edge case for particular endpoint and needs deeper investigation.

Have you tried it on other GraphQL endpoints?

Yes I have, however the result is exactly the same.

[nikitastupin]

@kleiton0x00 I've created a separate GitHub issue (#22) for your case because it's different from what was originally reported there. Let's continue in #22.

[nikitastupin]

Hi @halfluke,

I've just pushed a fix to the bug you've reported to fix-issues-16-and-20 branch. Could you please try out fix-issues-16-and-20 and see wether it fixes the bug?

I've tested it against DVGA and it worked fine.