GraphQL Pentesting Guide.
Blogs
| Credits | URL |
|---|---|
| PortSwigger | GraphQL Basics Level 1 |
| GraphQL with labs | |
| Hacktricks | Pentesting Web - GraphQL |
| The Bilal Rizwan | GraphQL Common Vulnerabilities: How to Exploit Them |
| OWASP | Testing GraphQL |
| CyberW1ng | GraphQL API Vulnerabilities in Web App Penetration Testing 2023 |
| Anugrah SR | GraphQL Pentesting for Dummies Part 1 |
| Escape Tech | Pentest 101 |
| Pentesting 102 |
Tool
| Credits | URL |
|---|---|
| Dolev Farhi | graphw00f |
| doyensec | InQL |
| GraphQL Kit | GraphQL Voyager |
| GraphQL | (https://github.com/graphql/graphiql) |
| GraphQL | Online GraphiQL |
Videos
| Credits | URL |
|---|---|
| Rahul Shetty Academy | YouTube Playlist |
| Insider PhD | YouTube Video 1 |
| Insider PhD | YouTube Video 2 |
| HowToGraphQL | Introduction |
Vuln Lab
| Credits | URL |
|---|---|
| DVGA (Dolev Farhi) | Damn Vulnerable GraphQL Application |
| PortSwigger | PortSwigger |
| righettod | PoC GraphQL |
| StackHawk | Vuln GraphQL API |
Basics of GraphQL
Schema
The Schema defines the capabilities of the API and represents the contract between the client and the server. It defines the types available in the API and how they can be queried and mutated.
Types
GraphQL allows you to define your own types, including Scalar types (e.g., Int, String, Boolean) and Object types (e.g., User, Post). Types represent the shape of data that can be queried.
Schema
The Schema defines the capabilities of the API and represents the contract between the client and the server. It defines the types available in the API and how they can be queried and mutated.
Types
GraphQL allows you to define your own types, including Scalar types (e.g., Int, String, Boolean) and Object types (e.g., User, Post). Types represent the shape of data that can be queried.
type Example {
id: ID
name: String
age: Int
isActive: Boolean
}
type User {
id: ID
name: String
email: String
posts: [Post]
}
Queries
Queries are used by the client to request specific data from the server. A query in GraphQL mirrors the shape of the response it expects to receive.
query GetUser {
user(id: "123") {
id
name
email
}
}
Mutations
Mutations are used to modify data on the server. They allow clients to create, update, or delete data.
mutation CreateUser {
createUser(input: { name: "John", email: "john@example.com" }) {
id
name
email
}
}
Fields
Fields are the basic unit of data retrieval in GraphQL. They are used to request specific pieces of data about an object.
query GetUser {
user(id: "123") {
id
name
email
}
}
Resolvers
Resolvers are functions that determine how to fetch the data for a particular field. Each field in a GraphQL schema typically has a corresponding resolver function.
const resolvers = {
Query: {
user: (parent, args, context, info) => {
// Logic to fetch user data
}
}
};
Directives
Directives provide a way to modify the behavior of a GraphQL query or mutation. They can be used to conditionally include fields, apply transformations, or provide metadata.
query GetActiveUsers {
users {
id
name
email
isActive @include(if: true)
}
}
Subscriptions
Subscriptions allow clients to receive real-time updates from the server. They enable a client to subscribe to specific events and receive notifications when those events occur.
subscription NewPosts {
newPost {
id
title
content
}
}