GraphQL

Detection

/graphql
/altair
/explorer
/graphiql
/graphiql.css
/graphiql/finland
/graphiql.js
/graphiql.min.css
/graphiql.min.js
/graphiql.php
/graphql
/graphql/console
/graphql-explorer
/graphql.php
/graphql/schema.json
/graphql/schema.xml
/graphql/schema.yaml
/playground
/subscriptions
/api/graphql
/graph
/v1/altair
/v1/explorer
/v1/graphiql
/v1/graphiql.css
/v1/graphiql/finland
/v1/graphiql.js
/v1/graphiql.min.css
/v1/graphiql.min.js
/v1/graphiql.php
/v1/graphql
/v1/graphql/console
/v1/graphql-explorer
/v1/graphql.php
/v1/graphql/schema.json
/v1/graphql/schema.xml
/v1/graphql/schema.yaml
/v1/playground
/v1/subscriptions
/v1/api/graphql
/v1/graph
/v2/altair
/v2/explorer
/v2/graphiql
/v2/graphiql.css
/v2/graphiql/finland
/v2/graphiql.js
/v2/graphiql.min.css
/v2/graphiql.min.js
/v2/graphiql.php
/v2/graphql
/v2/graphql/console
/v2/graphql-explorer
/v2/graphql.php
/v2/graphql/schema.json
/v2/graphql/schema.xml
/v2/graphql/schema.yaml
/v2/playground
/v2/subscriptions
/v2/api/graphql
/v2/graph
/v3/altair
/v3/explorer
/v3/graphiql
/v3/graphiql.css
/v3/graphiql/finland
/v3/graphiql.js
/v3/graphiql.min.css
/v3/graphiql.min.js
/v3/graphiql.php
/v3/graphql
/v3/graphql/console
/v3/graphql-explorer
/v3/graphql.php
/v3/graphql/schema.json
/v3/graphql/schema.xml
/v3/graphql/schema.yaml
/v3/playground
/v3/subscriptions
/v3/api/graphql
/v3/graph
/v4/altair
/v4/explorer
/v4/graphiql
/v4/graphiql.css
/v4/graphiql/finland
/v4/graphiql.js
/v4/graphiql.min.css
/v4/graphiql.min.js
/v4/graphiql.php
/v4/graphql
/v4/graphql/console
/v4/graphql-explorer
/v4/graphql.php
/v4/graphql/schema.json
/v4/graphql/schema.xml
/v4/graphql/schema.yaml
/v4/playground
/v4/subscriptions
/v4/api/graphql
/v4/graph

GitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub

Working with GraphQL in Burp SuiteBurp_Suite

Fingerprinting

GitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub

GitHub - nicholasaleks/graphql-threat-matrix: GraphQL threat framework used by security professionals to research security gaps in GraphQL implementationsGitHub

Introspection enabled

query FullIntrospectionQuery {
    __schema {
        queryType {
            name
        }
        mutationType {
            name
        }
        subscriptionType {
            name
        }
        types {
          ...FullType
        }
        directives {
            name
            description
            args {
                ...InputValue
            }
        }
    }
}

fragment FullType on __Type {
      kind
      name
      description
      fields(includeDeprecated: true) {
          name
          description
          args {
              ...InputValue
          }
          type {
              ...TypeRef
          }
          isDeprecated
          deprecationReason
      }
      inputFields {
          ...InputValue
      }
      interfaces {
          ...TypeRef
      }
      enumValues(includeDeprecated: true) {
          name
          description
          isDeprecated
          deprecationReason
      }
      possibleTypes {
          ...TypeRef
      }
}

fragment InputValue on __InputValue {
      name
      description
      type {
          ...TypeRef
      }
      defaultValue
}

fragment TypeRef on __Type {
    kind
    name
    ofType {
        kind
        name
        ofType {
            kind
            name
            ofType {
              kind
              name
            }
        }
    }
}

GitHub - graphql-kit/graphql-voyager: 🛰️ Represent any GraphQL API as an interactive graphGitHub

Error Messages

GitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema despite disabled introspection!GitHub

CSRF

How to Perform CSRF Attack in GraphQL APIMedium

Bypassing rate limits

GitHub - nicholasaleks/CrackQL: CrackQL is a GraphQL password brute-force and fuzzing utility.GitHub

SQL injection - Time based

DoS throught batched queries

Wordlists

SecLists/Discovery/Web-Content/graphql.txt at master · danielmiessler/SecListsGitHub

GitHub - Escape-Technologies/graphql-wordlist: The only GraphQL wordlist you'll ever need. Operations, field names, type names... Collected on more than 60k distinct GraphQL schemas.GitHub

InQL

Burp Extension

GitHub - doyensec/inql: InQL - A Burp Extension for GraphQL Security TestingGitHub

InQL - Introspection GraphQL Scanner

CLI

$ pip install inql
$ inql -t https://anilist.co/graphql

InQL Scanner · Doyensec's Blog

Tools

GitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.GitHub

GitHub - doyensec/GQLSpection: GQLSpection - parses GraphQL introspection schema and generates possible queriesGitHub

GitHub - assetnote/batchql: GraphQL security auditing script with a focus on performing batch GraphQL queries and mutationsGitHub

GitHub - dolevf/graphql-cop: Security Auditor Utility for GraphQL APIsGitHub

GitHub - gsmith257-cyber/GraphCrawler: GraphQL automated security testing toolkitGitHub

dee-see / graphql-path-enumGitLab

Interesting Reports

1. https://hackerone.com/reports/2048725

2. https://hackerone.com/reports/2524939

3. https://hackerone.com/reports/2357012

4. https://hackerone.com/reports/2122671

5. https://hackerone.com/reports/2207248

6. https://hackerone.com/reports/1864188

7. https://hackerone.com/reports/1085332

8. https://hackerone.com/reports/1084904

9. https://hackerone.com/reports/1293377

10. https://hackerone.com/reports/1192460

Resources

Five easy ways to hack GraphQL targetsIntigriti