GraphQL
Various test cases
Testing Methodology
1. Discovery
In order to check if the current web application/service has a potential GraphQL endpoint, we can use a combination of generic endpoints like "/graphql", "graphiql", etc. with(out) versioning like "/v1/graphql". Below is a generic wordlist compiled:
2. Schema via Introspection Query
What if itâs disabled? Use field suggestions to craft a query step-by-step. For eg. In the below request, we are trying to find if an operation "getData" is available by supplying an incomplete operation name "getd".
3. Burp Active Scan of GraphQL operations
We would be using "GraphQL Raider" Burp extension and Burp Intruder to configure the insertion points in GraphQL operations.
Steps:
Download the burp extension "GraphQL Raider".
Send the request in burp history to repeater.
Observe the insertion points using "GraphQL Raider".
Send the request to burp intruder.
Highlight the insertion points observed in step 3.
Now, Select Intruder > Scan defined insertion points.
4. Access endpoint without a token or Authorization header
5. Injection
[OS Command Injection, SQLi or NoSQLi]
6. IDOR eg. variables
7. DOS
Batching Query [can be used for 2FA bypass] eg. [{query 1}, {query 2}]
Deep Recursion Query
8. Deprecated Operations/Fields
Last updated