GraphQL
Data query and manipulation language for APIs
Uses
HTTP/HTTPS
, typically overPOST
requests.JSON
-based queries and responses.Typically uses a single endpoint for all operations.
Apollo Server
commonly usesport 4000
as its default when started without configuration.Express-based GraphQL servers
frequently useport 3000
, simply because that's the default for many Express setups.Introspection
allows clients to query the API schema for available operations and data types.
Fuzzing Tips
Test Query Depth and Complexity
: Check server limits on nested or complex queries to prevent performance issues.
Validate Input Types and Arguments
: Test inputs with invalid data to identify validation weaknesses.
Examine Query Aliasing and Batching
: Test for data leaks via aliased queries and batched requests.
Check for Introspection Misuse
: Ensure introspection doesn't expose sensitive or unnecessary schema details.
Assess Authorization Controls
: Confirm proper enforcement of access controls for queries and operations.
Evaluate Rate Limiting
: Ensure the API handles excessive or malicious requests effectively.
Fuzz Mutations
: Test for security and validation flaws in mutation operations.
Introspection Queries
?query={__schema{types{name}}}
?query={__type(name:"Query"){fields{name,description}}}
?query={__type(name:"User"){fields{name,type{name,kind},description}}}
?query={__type(name:"User"){fields{name,type{name,kind},description,args{name,type{name,kind}}}}}
Last updated