Graphql
Resources
- Graphql Threat Matrix
- Hacktricks Graphql
- jondow.eu/practical-graphql-attack-vectors
- graphql-common-vulnerabilities-how-to-exploit-them
- common-security-test-cases-for-graphql-endpoints
- ghostlulz.com/api-hacking-graphql
- PayloadAllTheThings
- Portswigger graphql
Tools
- Altair Graphql Client
- Clairvoyance
- EyeWitness
- CrackQL
- Graphw00f
- BatchQL
- graphql-path-enum
- GraphQL Cop
- InQL Burp extension
Recon
Detecting Graphql
graphw00f -d -t http://<target_ip_or_domain>:<target_port> --fingerprint
Basic introspection queries
query {
__schema {
types {
name
}
}
}
{
__schema {
queryType {
fields {
name
type {
name
}
}
}
}
}
query {
__type(name: "SomeType") {
name
kind
fields {
name
type {
name
kind
}
}
}
}
query {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
kind
name
fields {
name
args {
name
}
}
}
}
}
# source: GraphQL Voyager
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type { ...TypeRef }
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
}
}
}
}