Graphql

Overview

GraphQL API attacks exploit weaknesses in GraphQL implementations. Common attack vectors include introspection queries, batching attacks, deeply nested queries for DoS, and authorization bypasses.

GraphQL's flexibility makes it powerful, but misconfigured endpoints can expose the entire schema and underlying data.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting Graphql:

query { __schema { types { name fields { name } } } }

query { a1:login(pass:"pass1",user:"admin") {token} a2:login(pass:"pass2",user:"admin") {token} }

query { user { posts { comments { user { posts { ... } } } } } }

mutation { login(username: "admin", password: "wrong") { token } }

Tools & Techniques

Recommended tools for Graphql:

• InQL: Burp Suite extension for GraphQL security testing
• GraphQL Voyager: visualize the API schema
• Clairvoyance: brute-force GraphQL field names
• graphql-path-enum: enumerate GraphQL endpoints
• Test introspection, batching, DoS via deep nesting, and authorization checks

Prevention & Mitigation

Security recommendations to prevent Graphql:

• Disable introspection in production environments
• Implement query depth limiting and rate limiting
• Use query cost analysis to prevent expensive queries
• Implement proper authorization at the resolver level
• Use timeouts and maximum query complexity limits
• Validate all input parameters strictly

References

Additional resources:

• https://portswigger.net/web-security/graphql
• https://github.com/doyensec/inql
• https://graphql.org/learn/best-practices/security/