GraphQL API Testing Checklist
Reconnaissance
Port Scanning: Use Nmap to identify open web application ports.
Endpoint Detection: Use Graphw00f for GraphQL endpoint detection.
Server Fingerprinting: Execute Graphw00f's fingerprint mode.
Vulnerability Search: Check MITRE's CVE database for server vulnerabilities.
Security Features: Review the GraphQL Threat Matrix.
IDEs Search: Locate GraphQL IDEs like GraphiQL Explorer with EyeWitness.
Introspection Query: Send and document available queries, mutations, and subscriptions.
Query Visualization: Use GraphQL Voyager to visualize introspection responses.
Denial of Service Testing
Review SDL: Check for bidirectional relationships in the SDL file.
Test for Vulnerabilities:
Circular queries or fragments
Field duplication
Alias and directive overloading
Query batching
Object limits in pagination parameters
Information Disclosure
Schema Extraction: Use field stuffing if introspection is disabled.
Error Detection: Identify debug errors with malformed queries.
Query Tracing: Look for tracing details in responses.
PII Exposure: Test for PII transmission using the GET method.
Authentication and Authorization
Access Tests:
API access without authentication headers
Restricted field access via alternate paths
API access using GET and POST methods
JWT Validation: Test JSON Web Token signature validation.
Brute-Force Attacks:
Use alias/array-based batching
Employ CrackQL or Burp Suite for brute-forcing
Injection Testing
Test Points:
Query and field arguments
Query directive arguments
Operation names
SQL Injection: Use SQLmap for automatic testing.
OS Command Injection: Test with Commix.
Forging Requests
CSRF Testing:
Check for anti-CSRF tokens
Explore token bypass possibilities
Request Methods:
Test GET-based queries and mutations
Test POST-based state changes
Hijacking Requests
Server Validation:
Check for WebSocket subscription support
Validate the Origin header during handshakes
Last updated