Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Detecting GraphQL APIs
  • Common Endpoints
  • Common GraphQL Responses
  • Nmap Scan
  • The __typename Field
  • Graphw00f
  • Detecting GraphiQL Explorer and GraphQL Playground
  • Introspection
  • Visualizing Introspection with GraphQL Voyager
  • Generating Introspection Documentation with SpectaQL

Was this helpful?

Edit on GitHub
  1. API-Sec
  2. GraphQL API Security Testing

RECONNAISSANCE

Detecting GraphQL APIs

GraphQL has many implementations written in a variety of programming languages, each of which could have different default configurations or known weaknesses

GraphQL Implementations and Languages

Server Implementation
Language

Apollo

TypeScript

Graphene

Python

Yoga

TypeScript

Ariadne

Python

graphql-ruby

Ruby

graphql-php

PHP

graphql-go

Go

graphql-java

Java

Sangria

Scala

Juniper

Rust

HyperGraphQL

Java

Strawberry

Python

Tartiflette

Python

Common Endpoints

/graphql
/graphiql
/v1/graphql
/v2/graphql
/v3/graphql
/v1/graphiql
/v2/graphiql
/v3/graphiql
/playground
/v1/playground
/v2/playground
/v3/playground
/api/v1/playground
/api/v2/playground
/api/v3/playground
/console
/api/graphql
/api/graphiql
/explorer
/api/v1/graphql
/api/v2/graphql
/api/v3/graphql
/api/v1/graphiql
/api/v2/graphiql
/api/v3/graphiql
/graphql.php
/graphql/console
/api
/api/graphql
/graphql/api
/graphql/graphql
/v1/graphql
/v2/graphql
/graphql/v1
/graphql/v2
/gql
/graphql-playground
/playground
/altair
/query
/graphql/query
/graphql-explorer
/api/v1/graphql
/api/v2/graphql
/public/graphql
/private/graphql
/internal/graphql
  • Endpoints like /graphql or IDE endpoints (/graphiql, /playground) are common but can be customized.

Example Endpoint Definition in Graphene:

Graphene, a Python-based implementation of GraphQL, can expose two endpoints, one for GraphQL, and the other for GraphiQL Explorer, which is built into Graphene:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema=schema
))
app.add_url_rule('/graphiql', view_func=GraphQLView.as_view(
  'graphiql',
  schema=schema,
  graphiql=True
))

Common GraphQL Responses

If the operation is a query, the result of the operation is the result of executing the operation’s top-level selection set with the query root operation type. An initial value may be provided when executing a query operation: ExecuteQuery(query, schema, variableValues, initialValue)

  1. Let queryType be the root Query type in the schema.

  2. Assert: queryType is an Object type.

  3. Let selectionSet be the top-level selection set in the query.

  4. Let data be the result of running ExecuteSelectionSet(selectionSet, queryType, initialValue, variableValues) normally (allowing parallelization).

  5. Let errors be any field errors produced while executing the selection set.

  6. Return an unordered map containing data and errors. In practice, this means a GraphQL API will return a data JSON field when there is a result to return to a client’s query. It will also return an errors JSON field whenever errors occur during the execution of a client query.

GraphQL APIs follow a standardized response structure, making them relatively easy to identify during penetration tests or bug bounty hunts. According to the GraphQL specification:

  1. Valid Query Response:

    • Returns a data JSON field containing the requested data.

  2. Invalid Query Response:

    • Returns an errors JSON field with details about the issue.

These predictable behaviors allow automated tools to identify GraphQL APIs by sending test queries and observing responses.


Nmap Scan

A common GraphQL response returned when a client makes a GET request.

curl -X GET http://localhost:5013/graphql
{"errors":[{"message":"Must provide query string."}]}

With this information, we now have the ability to automate a scan and pick up any other GraphQL servers that may exist on a network.

nmap -p 5013 -sV --script=http-grep --script-args='match="Must provide query string", http-grep.url="/graphql"' localhost

The __typename Field

Meta-fields are built-in fields that GraphQL APIs expose to clients. One example is __schema (part of introspection in GraphQL). Another example of a meta-field is __typename. When used, it returns the name of the object type being queried.

query {
    pastes {
        __typename
    }
}

----------------------
"data": {
    "pastes": [
        {
            "__typename": "PasteObject"
        }
    ]
}

As you can see, GraphQL tells us that the pastes object’s type name is PasteObject. The real hack here is that the __typename meta-field can be used against the query root type as well

# Detecting GraphQL by using GET-based queries with Nmap
nmap -p 5013 -sV --script=http-grep --script-args='match="__typename",http-grep.url="/graphql?query=\{__typename\}"' localhost

# Scanning multiple targets defined in a file with Nmap
nmap -p 5013 -iL hosts.txt -sV --script=http-grep --script-args='match="__typename", http-grep.url="/graphql?query=\{__typename\}"'

# Sending a POST-based query using cURL
curl -X POST http://localhost:5013/graphql -d '{"query":"{__typename }"}' -H "Content-Type: application/json"

# A Bash script to automate a POST-based GraphQL detection using cURL
for host in $(cat hosts.txt); do
    curl -X POST "$host" -d '{"query":"{__typename }"}' -H "Content-Type: application/json"
done

GraphQL tool based on Python for detecting GraphQL and performing implementation-level fingerprinting.

Graphw00f allows you to specify a custom list of endpoints when running a scan. If you don’t provide a list, Graphw00f will use its hardcoded list of common endpoints whenever it is tasked with detecting GraphQL.

# https://github.com/dolevf/graphw00f
cd ~/graphw00f
python3 main.py -d -t http://localhost:5013
python3 main.py -d -t http://localhost:5013 -w wordlist.txt

Detecting GraphiQL Explorer and GraphQL Playground

# EyeWitness
eyewitness --web --single http://localhost:5013/graphiql -d dvga-report

# Scanning multiple URLs with EyeWitness
echo 'http://localhost:5013/graphiql' > urls.txt
eyewitness --web -f urls.txt -d dvga-report

Introspection

State of Introspection in GraphQL Implementations (Table 4-2)

Language
Implementation
Introspection Default
Disable Option

Python

Graphene

Enabled

No

Python

Ariadne

Enabled

Yes

PHP

graphql-php

Enabled

Yes

Go

graphql-go

Enabled

No

Ruby

graphql-ruby

Enabled

Yes

Java

graphql-java

Enabled

No

An introspection query in its simplest form

query {
  __schema {
    types {
      name
    }
  }
}

Response:

{
  "data": {
    "__schema": {
      "types": [
        { "name": "PasteObject" },
        { "name": "CreatePaste" }
      ]
    }
  }
}

Visualizing Introspection Data

  • Use GraphQL Voyager to explore schema relationships:

    1. Paste the introspection response or upload the SDL file.

    2. View relationships visually (e.g., PasteObject links to OwnerObject).

  • A GraphQL introspection detection with the Nmap NSE

nmap --script=graphql-introspection -iL hosts.txt -sV -p 5013

Visualizing Introspection with GraphQL Voyager

Generating Introspection Documentation with SpectaQL

PreviousGraphQL Attack SurfaceNextGraphQL DOS

Last updated 3 months ago

Was this helpful?

Navigate to .

SpectaQL () is an open source project that allows you to generate static documentation based on an SDL file. The document that gets generated will include information about how to construct queries, mutations, and subscriptions; the different types; and their fields. We’ve hosted an example SpectaQL-generated schema of DVGA at so you can see how SpectaQL looks when it’s functional.

✉️
Graphw00f
GraphQL Voyager
https://github.com/anvilco/spectaql
http://lab.blackhatgraphql.com:9001
An HTML report produced by EyeWitness
or ,
https://ivangoncharov.github.io/graphql-voyager
http://lab.blackhatgraphql.com:9000