Approaching GraphQL End Points
Brief note on how you can proceed for testing GraphQL end points
Last updated
Was this helpful?
Brief note on how you can proceed for testing GraphQL end points
Last updated
Was this helpful?
Was this helpful?
In short GraphQL is one of the most modern ways of building and querying APIs.
Start fuzzing your target by including below end points in your word-list.
/graphql
/graphql/console/
/v1/graphql
/graphql?debug=1
/graphql/console?debug=1
/graphql.php?debug=1
/graphiql.php?debug=1
/explorer?debug=1
/altair?debug=1
/playground?debug=1
/v1/graphql?debug=1
/v1/graphql/console?debug=1
/v1/graphql.php?debug=1
/v1/graphiql.php?debug=1
/v1/explorer?debug=1
/v1/altair?debug=1
/v1/playground?debug=1
/v2/graphql?debug=1
/v2/graphql/console?debug=1
/v2/graphql.php?debug=1
/v2/graphiql.php?debug=1
/v2/explorer?debug=1
/v2/altair?debug=1
/v2/playground?debug=1
[..]Once you identified the GraphQL end point then proceed for below checks.
Introspection query retrieves the complete documentation and list of all API calls that are available in back-end.
To check whether introspection is enabled or not you can make POST request to identified GraphQL end-point with the following query
{"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null}If the introspection is enabled then you will get complete list of all API calls in response.
The response will be big and difficult to understand the schema, follow below steps for the better visualization of schema.
Navigate to graphql-voyager
Click on Change Schema
Then navigate to Introspection tab
Copy entire introspection query response you got from the above query and paste here and click Display
Now go through the the chart thoroughly for better understanding on work flow and get ready to play with the queries
Mainly you can look for below vulnerabilities in GraphQL end points but not limited to
SQL and NoSQL
IDOR
Brute Force Attack
CSRF
Information Disclosure
Most of the GraphQL chart have loops and N number of paths and it will be difficult to track each path manually, so below listed tools can be used to reduce manual work while analyzing end points.
GraphQLmap provides an interactive shell to play with GraphQL end points
graphql-path-enum can be used retrieve different ways of reaching a given type in a GraphQL schema.
You can also use graphql-introspection-analyzer.py for analyzing end-points
You can include InQL extension in Burp to play with GraphQL end-points
>https://blog.doyensec.com/2018/05/17/graphql-security-overview.html
>https://blog.doyensec.com/2020/03/26/graphql-scanner.html
>https://medium.com/bugbountywriteup/graphql-voyager-as-a-tool-for-security-testing-86d3c634bcd9
>https://medium.com/@the.bilal.rizwan/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696
Thanks for reading:)
Follow me on twitter @0xAyub for more notes