GraphQL

Various test cases

Testing Methodology

1. Discovery

In order to check if the current web application/service has a potential GraphQL endpoint, we can use a combination of generic endpoints like "/graphql", "graphiql", etc. with(out) versioning like "/v1/graphql". Below is a generic wordlist compiled:

2. Schema via Introspection Query

{"query": "query IntrospectionQuery {schema {queryType { name },mutationType { name },subscriptionType { name },types {...FullType},directives {name,description,args {...InputValue},onOperation,onFragment,onField}}}\nfragment FullType on Type {kind,name,description,fields(includeDeprecated: true) {name,description,args {...InputValue},type {...TypeRef},isDeprecated,deprecationReason},inputFields {...InputValue},interfaces {...TypeRef},enumValues(includeDeprecated: true) {name,description,isDeprecated,deprecationReason},possibleTypes {...TypeRef}}\nfragment InputValue on InputValue {name,description,type { ...TypeRef },defaultValue}\nfragment TypeRef on Type {kind,name,ofType {kind,name,ofType {kind,name,ofType {kind,name}}}}"}

What if it’s disabled? Use field suggestions to craft a query step-by-step. For eg. In the below request, we are trying to find if an operation "getData" is available by supplying an incomplete operation name "getd".

{"operationName":"xyz","variables":{},"query":"query xyz {getd }"}

3. Burp Active Scan of GraphQL operations

We would be using "GraphQL Raider" Burp extension and Burp Intruder to configure the insertion points in GraphQL operations.

Steps:

  1. Download the burp extension "GraphQL Raider".

  2. Send the request in burp history to repeater.

  3. Observe the insertion points using "GraphQL Raider".

  4. Send the request to burp intruder.

  5. Highlight the insertion points observed in step 3.

  6. Now, Select Intruder > Scan defined insertion points.

4. Access endpoint without a token or Authorization header

5. Injection

  • [OS Command Injection, SQLi or NoSQLi]

6. IDOR eg. variables

7. DOS

  • Batching Query [can be used for 2FA bypass] eg. [{query 1}, {query 2}]

  • Deep Recursion Query

8. Deprecated Operations/Fields

PreviousBlind XPath InjectionNextReverse Shells

Last updated