

PRACTITIONER
GraphQL API vulnerabilities 8 of 29

Exploiting unsanitized arguments - Continued

For example, the query below requests a product list for an online shop:

#Example product query

query {
products {
id
name
listed
}
}

The product list returned contains only listed products.

 CONTINUE 

Up next: Discovering schema information

 #Example product response

{
"data": {
"products": [
{
"id": 1,
"name": "Product 1",
"listed": true
},
{
"id": 2,
"name": "Product 2",
"listed": true
},
{
"id": 4,
"name": "Product 4",
"listed": true
}
]
}
}

From this information, we can infer the following:

Products are assigned a sequential ID.

Product ID 3 is missing from the list, possibly because it has been delisted.

By querying the ID of the missing product, we can get its details, even though it is not listed on the
was not returned by the original product query.
shop and
CONTINUE 

Up next: Discovering schema information

#Query to get missing product

query {
product(id: 3) {
id
name
listed
}
}

#Missing product response

{
"data": {
"product": {
"id": 3,
"name": "Product 3",
"listed": no
}
}
}

 CONTINUE 

Up next: Discovering schema information