Approaching GraphQL End Points

Brief note on how you can proceed for testing GraphQL end points

In short GraphQL is one of the most modern ways of building and querying APIs.

Identification

Start fuzzing your target by including below end points in your word-list.

/graphql
/graphql/console/
/v1/graphql
/graphql?debug=1
/graphql/console?debug=1
/graphql.php?debug=1
/graphiql.php?debug=1
/explorer?debug=1
/altair?debug=1
/playground?debug=1
/v1/graphql?debug=1
/v1/graphql/console?debug=1
/v1/graphql.php?debug=1
/v1/graphiql.php?debug=1
/v1/explorer?debug=1
/v1/altair?debug=1
/v1/playground?debug=1
/v2/graphql?debug=1
/v2/graphql/console?debug=1
/v2/graphql.php?debug=1
/v2/graphiql.php?debug=1
/v2/explorer?debug=1
/v2/altair?debug=1
/v2/playground?debug=1
[..]

Once you identified the GraphQL end point then proceed for below checks.

Common Miss Configurations in GraphQL

Introspection enabled

Introspection query retrieves the complete documentation and list of all API calls that are available in back-end.

To check whether introspection is enabled or not you can make POST request to identified GraphQL end-point with the following query

{"query":"\n    query IntrospectionQuery {\r\n      __schema {\r\n        queryType { name }\r\n        mutationType { name }\r\n        subscriptionType { name }\r\n        types {\r\n          ...FullType\r\n        }\r\n        directives {\r\n          name\r\n          description\r\n          locations\r\n          args {\r\n            ...InputValue\r\n          }\r\n        }\r\n      }\r\n    }\r\n\r\n    fragment FullType on __Type {\r\n      kind\r\n      name\r\n      description\r\n      fields(includeDeprecated: true) {\r\n        name\r\n        description\r\n        args {\r\n          ...InputValue\r\n        }\r\n        type {\r\n          ...TypeRef\r\n        }\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      inputFields {\r\n        ...InputValue\r\n      }\r\n      interfaces {\r\n        ...TypeRef\r\n      }\r\n      enumValues(includeDeprecated: true) {\r\n        name\r\n        description\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      possibleTypes {\r\n        ...TypeRef\r\n      }\r\n    }\r\n\r\n    fragment InputValue on __InputValue {\r\n      name\r\n      description\r\n      type { ...TypeRef }\r\n      defaultValue\r\n    }\r\n\r\n    fragment TypeRef on __Type {\r\n      kind\r\n      name\r\n      ofType {\r\n        kind\r\n        name\r\n        ofType {\r\n          kind\r\n          name\r\n          ofType {\r\n            kind\r\n            name\r\n            ofType {\r\n              kind\r\n              name\r\n              ofType {\r\n                kind\r\n                name\r\n                ofType {\r\n                  kind\r\n                  name\r\n                  ofType {\r\n                    kind\r\n                    name\r\n                  }\r\n                }\r\n              }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }\r\n  ","variables":null}

If the introspection is enabled then you will get complete list of all API calls in response.

The response will be big and difficult to understand the schema, follow below steps for the better visualization of schema.

Navigate to graphql-voyager
Click on Change Schema
Then navigate to Introspection tab
Copy entire introspection query response you got from the above query and paste here and click Display
Now go through the the chart thoroughly for better understanding on work flow and get ready to play with the queries

Vulnerabilities to Check

Mainly you can look for below vulnerabilities in GraphQL end points but not limited to

SQL and NoSQL
IDOR
Brute Force Attack
CSRF
Information Disclosure

Tools

Most of the GraphQL chart have loops and N number of paths and it will be difficult to track each path manually, so below listed tools can be used to reduce manual work while analyzing end points.

GraphQLmap provides an interactive shell to play with GraphQL end points
graphql-path-enum can be used retrieve different ways of reaching a given type in a GraphQL schema.
You can also use graphql-introspection-analyzer.py for analyzing end-points