GraphQL Testing Tips
Make your life easier while testing GraphQL queries
UNDERSTANDING THE GRAPHQL
This section contains descriptive and short examples of GraphQL queries.
1.1 What does it Look Like?
Example 1: Simple selective query with a variable
character: object
id: a variable query takes
name: Information will be retrieved from the character object
Example 2: Another selective query with a variable
HeroNameAndFriends: Query name
hero: object
name: Name attribute from the main object
friends: Subobject (Think it like a sub-attribute of a hero with a specified name)
episode: Variable
Example 3: An example of writing data with GraphQL
mutation: Keyword that is used for writing data in GraphQL
As shown in the examples above, GraphQL queries are already pretty descriptive by themselves. Just like every other web application security flaw, what we care about is to putting payloads to variables and/or testing if we can call functions without proper authorization.
2. UNDERSTANDING THE GRAPHQL in Wild
This section contains descriptive information about understanding GraphQL in actual targets/engagements.
2.1 Main Challenges
How to detect GraphQL?
How to detect which Queries/Mutations are exists?
What to Try?
2.1.1 How to Detect GraphQL
GraphQL usually exists under /graphql endpoint. Additional to that, it would be a good idea to check requests from HTTP request history to see if there is any request with similar syntax has been sent by the application.
2.1.2 How to detect which Queries/Mutations are Exists
Introspection Query
If the Introspection query is enabled in the target GraphQL app, it is possible to dump the whole schema with a single request. Please see the following link for more info: https://graphql.org/learn/introspection/
The following string can be sent to the GraphQL endpoint in a POST request to dump the whole schema (of course, if Introspection is allowed).
{"query": "query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}
It may look confusing but simply it returns a complete schema of which queries can be called, what parameters they take and some other information.
Luckily there is already a BurpSuite extension that exists for checking Introspection query and even showing each request separately in a way more readable format.
The extension is called InQL Scanner. Please see the following link for the official Github repo: https://github.com/doyensec/inql
If Introspection Query is not Allowed
Well best you can try is to visit every part of the application and check HTTP history logs.
2.1.3 What to Try
There is not an exact list of what to try but the following list is what I do:
Login, note down authenticated GraphQL requests and try them without your Cookie.
If Introspection is Query allowed, try to find interesting queries that may cause scenarios like; data leak, access users' PII, adding yourself to an authenticated panel etc.
Change variables to acheive IDOR .
Try SSRF, SQLi and other payloads in the variables. (I've never seen an XSS in GraphQL).
References
InQL Scanner, https://github.com/doyensec/inql
Last updated
Was this helpful?