graphqllisted

GraphQL pentest playbook — find the endpoint, dump the schema (introspection or field-suggestion fallback), then test for authorization gaps, query batching, alias overload, depth-based DoS, and SQLi/NoSQLi in resolver arguments. Use when the target exposes a /graphql endpoint, GraphiQL, Apollo, or accepts GraphQL queries.
Wulan234/agent · ★ 0 · API & Backend · score 75

Install: claude install-skill Wulan234/agent

# GraphQL playbook Execution rule: resolve the real GraphQL endpoint first, then run concrete `http`/curl requests against it. Never write literal placeholders such as `<other-id>` to files; ask once if required IDs or sessions are missing. Standard endpoints to probe first (use `http` with `GET` / `POST`): `/graphql`, `/graphiql`, `/api/graphql`, `/v1/graphql`, `/v2/graphql`, `/query`, `/api/query`. ## 1. Confirm it's GraphQL POST a tiny query — every implementation answers this: ```json {"query":"{__typename}"} ``` A reply containing `{"data":{"__typename":"Query"}}` confirms the endpoint. Note the response shape: `{ "data": ..., "errors": [...] }`. ## 2. Schema discovery ### 2a. Introspection (the easy path) ```json {"query":"query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }"} ``` Save the response — every