GraphQL

Data query and manipulation language for APIs

Uses HTTP/HTTPS, typically over POST requests.
JSON-based queries and responses.
Typically uses a single endpoint for all operations.
Apollo Server commonly uses port 4000 as its default when started without configuration.
Express-based GraphQL servers frequently use port 3000, simply because that's the default for many Express setups.
Introspection allows clients to query the API schema for available operations and data types.

Test Query Depth and Complexity: Check server limits on nested or complex queries to prevent performance issues.
Validate Input Types and Arguments: Test inputs with invalid data to identify validation weaknesses.
Examine Query Aliasing and Batching: Test for data leaks via aliased queries and batched requests.
Check for Introspection Misuse: Ensure introspection doesn't expose sensitive or unnecessary schema details.
Assess Authorization Controls: Confirm proper enforcement of access controls for queries and operations.
Evaluate Rate Limiting: Ensure the API handles excessive or malicious requests effectively.
Fuzz Mutations: Test for security and validation flaws in mutation operations.

Query All types in the Schema

?query={__schema{types{name}}}

?query={__type(name:"Query"){fields{name,description}}}

?query={__type(name:"User"){fields{name,type{name,kind},description}}}

?query={__type(name:"User"){fields{name,type{name,kind},description,args{name,type{name,kind}}}}}

?query=query{user{username,password}}

curl -X POST -H "Content-Type: application/json" -d '{"query":"YOUR_QUERY_HERE"}' http:///graphql

Last updated 1 month ago

Data query and manipulation language for APIs

Uses HTTP/HTTPS, typically over POST requests.
JSON-based queries and responses.
Typically uses a single endpoint for all operations.
Apollo Server commonly uses port 4000 as its default when started without configuration.
Express-based GraphQL servers frequently use port 3000, simply because that's the default for many Express setups.
Introspection allows clients to query the API schema for available operations and data types.

Test Query Depth and Complexity: Check server limits on nested or complex queries to prevent performance issues.
Validate Input Types and Arguments: Test inputs with invalid data to identify validation weaknesses.
Examine Query Aliasing and Batching: Test for data leaks via aliased queries and batched requests.
Check for Introspection Misuse: Ensure introspection doesn't expose sensitive or unnecessary schema details.
Assess Authorization Controls: Confirm proper enforcement of access controls for queries and operations.
Evaluate Rate Limiting: Ensure the API handles excessive or malicious requests effectively.
Fuzz Mutations: Test for security and validation flaws in mutation operations.

Query All types in the Schema

?query={__schema{types{name}}}

?query={__type(name:"Query"){fields{name,description}}}

?query={__type(name:"User"){fields{name,type{name,kind},description}}}

?query={__type(name:"User"){fields{name,type{name,kind},description,args{name,type{name,kind}}}}}

?query=query{user{username,password}}

curl -X POST -H "Content-Type: application/json" -d '{"query":"YOUR_QUERY_HERE"}' http:///graphql

Last updated 1 month ago