Exception: Unable to get TypeRef

[Sim4n6]

I issued clairvoyance against an graphql endpoint:

python3 -m clairvoyance -o ./schema.json -w ../../Wordlists/google-10000-english-no-swears.txt https://www.REDACTED.com/graphql/

I'm getting the following error :

Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/sim4n6/Desktop/Pentesting-kb/Tools/clairvoyance/clairvoyance/__main__.py", line 96, in <module>
    schema = oracle.clairvoyance(
  File "/home/sim4n6/Desktop/Pentesting-kb/Tools/clairvoyance/clairvoyance/oracle.py", line 454, in clairvoyance
    arg_typeref = probe_arg_typeref(
  File "/home/sim4n6/Desktop/Pentesting-kb/Tools/clairvoyance/clairvoyance/oracle.py", line 353, in probe_arg_typeref
    typeref = probe_typeref(documents, "InputValue", config)
  File "/home/sim4n6/Desktop/Pentesting-kb/Tools/clairvoyance/clairvoyance/oracle.py", line 327, in probe_typeref
    raise Exception(f"Unable to get TypeRef for {documents}")
Exception: Unable to get TypeRef for ['query { lhEvents(filter: 7) }', 'query { lhEvents(filter: {}) }', 'query { lhEvents(filte: 7) }']

[nikitastupin]

Hi @Sim4n6,

Thanks for reporting this! Most likely the server returns a response which isn't recognized by clairvoyance.

You can try to issue query { lhEvents(filter: 7) } query manually and see wether a response similar to one from https://swapi-graphql.netlify.app/.netlify/functions/index. If they aren't similar we might need to improve clairvoyance to handle a type of server you're running it against.

[Sim4n6]

the error msg is :

{"errors":[{"message":"Field \"lhEvents\" of type \"[LhEvent!]!\" must have a selection of subfields. Did you mean \"lhEvents { ... }\"?","locations":[{"line":1,"column":9}],"extensions":{"code":"GRAPHQL_VALIDATION_FAILED"}},{"message":"Expected value of type \"LhEventFilter\", found 7.","locations":[{"line":1,"column":26}],"extensions":{"code":"GRAPHQL_VALIDATION_FAILED"}}]}

[nikitastupin]

I've looked at the issue one more time and it looks like that clairvoyance tries to obtain TypeRef for filter argument but it fails to do so because all of the queries ('query { lhEvents(filter: 7) }', 'query { lhEvents(filter: {}) }', 'query { lhEvents(filte: 7) }') trigger a field error message but we need a query that will trigger an argument error message.

@Sim4n6 If you'll provide the exact endpoint it will be much easier to debug. You can DM me on Twitter http://twitter.com/_nikitastupin if you'd like to keep an endpoint private.

[nikitastupin]

Also it looks like #16 (comment) has the same issue

[Sim4n6]

I would love to but I can't since the targeted endpoint is part of a private bug bounty program !

[Sim4n6]

But feel free to ask me to perform any task/verification/debug possible.

[nikitastupin]

@Sim4n6 could you please try out fix-issues-16-and-20 and see wether it fixes the bug?

[Sim4n6]

So, just make sure that I understand what you want. I git clone and then switch to #23 branch. And initiate the clairvoyance scan right ?

[Sim4n6]

Working on that right now ...

[nikitastupin]

Yep, you've got everything right. Just clone the repo, git checkout fix-issues-16-and-20 and test it agains your endpoint.

[Sim4n6]

It worked like a charm !

[nikitastupin]

Cool! 🚀