InQL v5: A Technical Deep Dive

渗透技巧 11个月前 admin
193 0 0

We’re thrilled to pull back the curtain on the latest iteration of our widely-used Burp Suite extension – InQL. Version 5 introduces significant enhancements and upgrades, solidifying its place as an indispensable tool for penetration testers and bug bounty hunters.
我们很高兴能够拉开我们广泛使用的Burp Suite扩展 – InQL 的最新版本的帷幕。版本 5 引入了重大的增强和升级,巩固了其作为渗透测试人员和漏洞赏金猎人不可或缺的工具的地位。

InQL v5: A Technical Deep Dive

Introduction 介绍

The cybersecurity landscape is in a state of constant flux. As GraphQL adoption surges, the demand for an adaptable, resilient testing tool has become paramount. As leaders in GraphQL security, Doyensec is proud to reveal the most recent iteration of our open-source testing tool – InQL v5.x. This isn’t merely an update; it’s a comprehensive revamp designed to augment your GraphQL testing abilities.
网络安全格局处于不断变化的状态。随着 GraphQL 采用率的激增,对适应性强、弹性强的测试工具的需求变得至关重要。作为 GraphQL 安全领域的领导者,Doyensec 很自豪地宣布我们的开源测试工具 – InQL v5.x 的最新版本。这不仅仅是一个更新;这是一个全面的改造,旨在增强你的 GraphQL 测试能力。

The Journey So Far: From Jython to Kotlin
到目前为止的旅程:从 Jython 到 Kotlin

Our journey with InQL started on the Jython platform. However, as time went by, we began to experience the limitations of Jython – chiefly, its lack of support for Python 3, which made it increasingly difficult to find compatible tooling and libraries. It was clear a transition was needed. After careful consideration, we chose Kotlin. Not only is it compatible with Java (which Burp is written in), but it also offers robustness, flexibility, and a thriving developer community.
我们与 InQL 的旅程始于 Jython 平台。然而,随着时间的推移,我们开始体验到Jython的局限性 – 主要是它缺乏对Python 3的支持,这使得找到兼容的工具和库变得越来越困难。显然需要过渡。经过慎重考虑,我们选择了 Kotlin。它不仅与Java兼容(Burp是用Java编写的),而且还提供了健壮性,灵活性和蓬勃发展的开发人员社区。

The Challenges of Converting a Burp Extension Into Kotlin
将打嗝扩展转换为 Kotlin 的挑战

We opted to include the entire Jython runtime (over 40 MB) within the Kotlin extension to overcome the challenges of reusing the existing Jython code. Although it wasn’t the ideal solution, this approach allowed us to launch the extension as Kotlin, initiate the Jython interpreter, and delegate execution to the older Jython code.
我们选择在 Kotlin 扩展中包含整个 Jython 运行时(超过 40 MB),以克服重用现有 Jython 代码的挑战。虽然这不是理想的解决方案,但这种方法允许我们以 Kotlin 的形式启动扩展,启动 Jython 解释器,并将执行委托给较旧的 Jython 代码。

class BurpExtender: IBurpExtender, IExtensionStateListener, BurpExtension {

    private var legacyApi: IBurpExtenderCallbacks? = null
    private var montoya: MontoyaApi? = null

    private var jython: PythonInterpreter? = null
    private var pythonPlugin: PyObject? = null

    // Legacy API gets instantiated first
    override fun registerExtenderCallbacks(callbacks: IBurpExtenderCallbacks) {

        // Save legacy API for the functionality that still relies on it
        legacyApi = callbacks

        // Start embedded Python interpreter session (Jython)
        jython = PythonInterpreter()
    }

    // Montoya API gets instantiated second
    override fun initialize(montoyaApi: MontoyaApi) {
        // The new Montoya API should be used for all of the new functionality in InQL
        montoya = montoyaApi

        // Set the name of the extension
        montoya!!.extension().setName("InQL")

        // Instantiate the legacy Python plugin
        pythonPlugin = legacyPythonPlugin()

        // Pass execution to legacy Python code
        pythonPlugin!!.invoke("registerExtenderCallbacks")
    }

    private fun legacyPythonPlugin(): PyObject {
        // Make sure UTF-8 is used by default
        jython!!.exec("import sys; reload(sys); sys.setdefaultencoding('UTF8')")

        // Pass callbacks received from Burp to Python plugin as a global variable
        jython!!.set("callbacks", legacyApi)
        jython!!.set("montoya", montoya)

        // Instantiate legacy Python plugin
        jython!!.exec("from inql.extender import BurpExtenderPython")
        val legacyPlugin: PyObject = jython!!.eval("BurpExtenderPython(callbacks, montoya)")

        // Delete global after it has been consumed
        jython!!.exec("del callbacks, montoya")

        return legacyPlugin
    }

Sidestepping the need for stickytape
避免对胶带的需求

Our switch to Kotlin also solved another problem. Jython extensions in Burp Suite are typically a single .py file, but the complexity of InQL necessitates a multi-file layout. Previously, we used the stickytape library to compress the Python code into a single file. However, stickytape introduced subtle bugs and inhibited access to static files. By making InQL a Kotlin extension, we can now bundle all files into a JAR and access them correctly.
我们改用 Kotlin 也解决了另一个问题。Burp Suite 中的 Jython 扩展通常是单个 .py 文件,但 InQL 的复杂性需要多文件布局。以前,我们使用粘带库将 Python 代码压缩成单个文件。但是,粘带引入了细微的错误并禁止访问静态文件。通过将 InQL 作为 Kotlin 扩展,我们现在可以将所有文件捆绑到 JAR 中并正确访问它们。

Introducing GQLSpection: The Core of InQL v5.x
GQLSpection简介:InQL v5.x 的核心

A significant milestone in our transition journey involved refactoring the core portion of InQL that handles GraphQL schema parsing. The result is GQLSpection – a standalone library compatible with Python 2/3 and Jython, featuring a convenient CLI interface. We’ve included all GraphQL code examples from the GraphQL specification in our test cases, ensuring comprehensive coverage.
我们过渡之旅中的一个重要里程碑是重构处理 GraphQL 模式解析的 InQL 核心部分。结果是GQLSpection – 一个与Python 2/3和Jython兼容的独立库,具有方便的CLI界面。我们在测试用例中包含了 GraphQL 规范中的所有 GraphQL 代码示例,确保了全面的覆盖。

As an added advantage, it also replaces the standalone and CLI modes of the previous InQL version, which were removed to streamline our code base.
作为一个额外的优势,它还取代了以前 InQL 版本的独立和 CLI 模式,这些模式已被删除以简化我们的代码库。

InQL v5: A Technical Deep Dive

New Features 新功能

Our clients rely heavily on cutting-edge technologies. As such, we frequently have the opportunity to engage with real-world GraphQL deployments in many of our projects. This rich exposure has allowed us to understand the challenges InQL users face and the requirements they have, enabling us to decide which features to implement. In response to these insights, we’ve introduced several significant features in InQL v5.0 to support more effective and efficient audits and investigations.
我们的客户非常依赖尖端技术。因此,我们经常有机会在我们的许多项目中参与现实世界的 GraphQL 部署。这种丰富的曝光使我们能够了解 InQL 用户面临的挑战以及他们的需求,使我们能够决定要实现哪些功能。为了响应这些见解,我们在 InQL v5.0 中引入了几个重要功能,以支持更有效和高效的审计和调查。

Points of Interest 兴趣点

One standout feature in this version is ‘Points of Interest’. Powered by GQLSpection and with the initial implementation contributed by @schoobydrew, this is essentially a keyword scan equipped with several customizable presets.
此版本中的一个突出功能是“兴趣点”。由GQLSpection提供支持,初始实现由@schoobydrew提供,这本质上是一个关键字扫描,配备了几个可自定义的预设。

InQL v5: A Technical Deep Dive

The Points of Interest scan proves exceptionally useful when analyzing extensive schemas with over 50 queries/mutations and thousands of fields. It produces reports in both human-readable text and JSON format, providing a high-level overview of the vast schemas often found in modern apps, and aiding pentesters in swiftly identifying sensitive data or dangerous functionality within the schema.
在分析具有 50 多个查询/突变和数千个字段的广泛模式时,兴趣点扫描被证明非常有用。它以人类可读文本和 JSON 格式生成报告,提供现代应用程序中常见的庞大模式的高级概述,并帮助渗透测试人员快速识别架构中的敏感数据或危险功能。

InQL v5: A Technical Deep Dive

Improved Logging 改进的日志记录

One of my frustrations with earlier versions of the tool was the lack of useful error messages when the parser broke on real-world schemas. So, I introduced configurable logging. This, coupled with the fact that parsing functionality is now handled by GQLSpection, has made InQL v5.0 much more reliable and user-friendly.
我对该工具早期版本的挫败感之一是,当解析器在实际模式上中断时,缺少有用的错误消息。因此,我引入了可配置的日志记录。这一点,再加上解析功能现在由 GQLSpection 处理,使 InQL v5.0 更加可靠和用户友好。

In-line Annotations 内联批注

Another important addition to InQL are the annotations. Prior to this, InQL only generated the bare minimum query, necessitating the use of other tools to deduce the correct input format, expected values, etc. However, with the addition of inline comments populated with content from ‘description’ fields from the GraphQL schema or type annotations, InQL v5.0 has become much more of a standalone tool.
InQL 的另一个重要补充是注释。在此之前,InQL 仅生成最低限度的查询,需要使用其他工具来推断正确的输入格式、预期值等。但是,随着内联注释的添加,内联注释填充了来自 GraphQL 模式或类型注释的“描述”字段的内容,InQL v5.0 已成为一个独立的工具。

InQL v5: A Technical Deep Dive

There is a trade-off here: while the extensive annotations make InQL more usable, they can sometimes make it hard to comprehend and navigate. We’re looking at solutions for future releases to dynamically limit the display of annotations.
这里有一个权衡:虽然广泛的注释使 InQL 更易于使用,但它们有时会使它难以理解和导航。我们正在寻找未来版本的解决方案,以动态限制注释的显示。

The Future of InQL and GraphQL Security
InQL 和 GraphQL 安全的未来

Our roadmap for InQL is ambitious. Having said that, we are committed to reintroduce features like GraphiQL and Circular Relationship Detection, achieving full feature parity with v4.
我们的 InQL 路线图雄心勃勃。话虽如此,我们致力于重新引入 GraphiQL 和循环关系检测等功能,实现与 v4 的完整功能奇偶校验。

As GraphQL continues to grow, ensuring robust security is crucial. InQL’s future involves addressing niche GraphQL features that are often overlooked and improving upon existing pentesting tools. We look forward to sharing more developments with the community.
随着 GraphQL 的不断发展,确保强大的安全性至关重要。InQL 的未来包括解决经常被忽视的利基 GraphQL 功能,并改进现有的渗透测试工具。我们期待与社区分享更多发展。

InQL: A Great Project for Students and Contributors
InQL:学生和贡献者的伟大项目

InQL is not just a tool, it’s a project – a project that invites the contributions of those who are passionate about cybersecurity. We’re actively seeking students and developers who would like to contribute to InQL or do GraphQL-adjacent security research. This is an opportunity to work with experts in GraphQL security, and play a part in shaping the future of InQL.
InQL 不仅仅是一个工具,它是一个项目——一个邀请那些对网络安全充满热情的人做出贡献的项目。我们正在积极寻找愿意为 InQL 做出贡献或进行 GraphQL 相关安全研究的学生和开发人员。这是一个与 GraphQL 安全专家合作的机会,并在塑造 InQL 的未来中发挥作用。

InQL v5: A Technical Deep Dive

Conclusion 结论

InQL v5.x is the result of relentless work and an unwavering commitment to enhancing GraphQL security. We urge all pentesters, bug hunters, and cybersecurity enthusiasts working with GraphQL to try out this new release. If you’ve tried InQL in the past and are looking forward to enhancements, v5.0 will not disappoint.
InQL v5.x 是坚持不懈工作和坚定不移地致力于增强 GraphQL 安全性的结果。我们敦促所有与 GraphQL 合作的渗透测试人员、漏洞猎人和网络安全爱好者尝试这个新版本。如果您过去尝试过 InQL 并期待增强功能,v5.0 不会让您失望。

At Doyensec, we’re not just developing a tool, we’re pushing the boundaries of what’s possible in GraphQL security. We invite you to join us on this journey, whether as a user, contributor, or intern.
在 Doyensec,我们不只是在开发一个工具,我们正在推动 GraphQL 安全的可能性。我们邀请您加入我们的旅程,无论是作为用户、贡献者还是实习生。

Happy Hacking! 祝黑客愉快!

原文始发于Andrew Konstantinov:InQL v5: A Technical Deep Dive

版权声明:admin 发表于 2023年8月18日 上午9:32。
转载请注明:InQL v5: A Technical Deep Dive | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...