search

GraphQL

Various test cases

hashtag
Testing Methodology

hashtag
1. Discovery

In order to check if the current web application/service has a potential GraphQL endpoint, we can use a combination of generic endpoints like "/graphql", "graphiql", etc. with(out) versioning like "/v1/graphql". Below is a generic wordlist compiled:

file-download
698B
discovery.txt
arrow-up-right-from-squareOpen

hashtag
2. Schema via Introspection Query

{"query": "query IntrospectionQuery {schema {queryType { name },mutationType { name },subscriptionType { name },types {...FullType},directives {name,description,args {...InputValue},onOperation,onFragment,onField}}}\nfragment FullType on Type {kind,name,description,fields(includeDeprecated: true) {name,description,args {...InputValue},type {...TypeRef},isDeprecated,deprecationReason},inputFields {...InputValue},interfaces {...TypeRef},enumValues(includeDeprecated: true) {name,description,isDeprecated,deprecationReason},possibleTypes {...TypeRef}}\nfragment InputValue on InputValue {name,description,type { ...TypeRef },defaultValue}\nfragment TypeRef on Type {kind,name,ofType {kind,name,ofType {kind,name,ofType {kind,name}}}}"}

What if it’s disabled? Use field suggestions to craft a query step-by-step. For eg. In the below request, we are trying to find if an operation "getData" is available by supplying an incomplete operation name "getd".

{"operationName":"xyz","variables":{},"query":"query xyz {getd }"}

hashtag
3. Burp Active Scan of GraphQL operations

We would be using "GraphQL Raider" Burp extension and Burp Intruder to configure the insertion points in GraphQL operations.

Steps:

  1. Download the burp extension "GraphQL Raider".

  2. Send the request in burp history to repeater.

  3. Observe the insertion points using "GraphQL Raider".

  4. Send the request to burp intruder.

  5. Highlight the insertion points observed in step 3.

  6. Now, Select Intruder > Scan defined insertion points.

hashtag
4. Access endpoint without a token or Authorization header

hashtag
5. Injection

  • [OS Command Injection, SQLi or NoSQLi]

hashtag
6. IDOR eg. variables

hashtag
7. DOS

  • Batching Query [can be used for 2FA bypass] eg. [{query 1}, {query 2}]

  • Deep Recursion Query

hashtag
8. Deprecated Operations/Fields

PreviousBlind XPath InjectionNextReverse Shells

Last updated