NMAP in Action: API's

In a recent blog post, my coworker Josh introduced the fundamentals of NMAP and highlighted its extensive capabilities for network scanning and reconnaissance.  While NMAP is already a powerful tool, its functionality can be further extended through custom scripts.  These scripts can allow for even more specialized and comprehensive scans for individual technologies.

One such enhancement is the nmap-graphql-introspection-nse script.  This custom script provides NMAP with the ability to not only identify GraphQL endpoints, but also to determine if Introspection is enabled on those endpoints.

Now, you might be wondering why Introspection matters or how it’s helpful to pentesters.  Introspection is a feature of GraphQL that allows clients to query the schema for details about the defined queries and mutations.  This feature is extremely useful to developers by allowing them to easily understand the capabilities and structure of GraphQL without requiring separate documentation.  However, from a security perspective this functionality also allows attackers to quickly understand the underlying API and identify potential attack vectors.

The first phase for any pentest includes reconnaissance and mapping, and one of the most common tools to use during this phase is NMAP.  Simply setting up this script and using it as part of your recon for the application can expedite the API mapping process.  The earlier we identify the GraphQL endpoint with Introspection enabled, the more time we have to identify potential vulnerabilities.

Setting up the script

NMAP will need to be installed on your system.  You will also need Git to use the following commands.

Personally, I’ve installed the script on a Kali VM using the command line.  The following commands are intended for use in a Linux environment, but work very similarly in a Windows environment as both Git and NMAP are supported on a Windows system.

Open the command line and run the following command.

Next, move the script to the NMAP scripts directory.  This is usually located at /usr/share/nmap/scripts

Almost done. Now, make sure to update the NMAP script database so that it can recognize and use the script.

And that’s it! You can now start using the script.  The best part is that these steps can be used to install other NMAP scripts as well.

Running the script

Now that the script is installed, how can it be used as part of a pentest engagement? If the target application has been identified as possibly utilizing GraphQL, NMAP scripts can be run to identify additional servers and gain a better understanding of the application.  The following command will execute the custom NMAP script.

If the port that the GraphQL endpoint is using is already known, the following command can be used instead.

Assuming you scan an application using GraphQL with Introspection enabled, nmap will now show more information in the output.  A simple example is shown in the following output.

Scanning a system without GraphQL or Introspection doesn’t cause any issues and the output would not include the details above.

The overall functionality of this script is simple but should not be underestimated.  Not only does it indicate that Introspection is enabled within GraphQL, but it also states exactly where the GraphQL endpoint is.  With this information in hand, pentesters can begin interacting with the underlying API and assessing it for vulnerabilities. 

Are you interested in learning more about API security?  Check out our upcoming webcast where we talk about strategies for securing APIs.  We will challenge conventional thinking regarding APIs and dare developers to elevate their security practices.