GraphQL

Data query and manipulation language for APIs

  • Uses HTTP/HTTPS, typically over POST requests.

  • JSON-based queries and responses.

  • Typically uses a single endpoint for all operations.

  • Apollo Server commonly uses port 4000 as its default when started without configuration.

  • Express-based GraphQL servers frequently use port 3000, simply because that's the default for many Express setups.

  • Introspection allows clients to query the API schema for available operations and data types.

Fuzzing Tips
  • Test Query Depth and Complexity: Check server limits on nested or complex queries to prevent performance issues.

  • Validate Input Types and Arguments: Test inputs with invalid data to identify validation weaknesses.

  • Examine Query Aliasing and Batching: Test for data leaks via aliased queries and batched requests.

  • Check for Introspection Misuse: Ensure introspection doesn't expose sensitive or unnecessary schema details.

  • Assess Authorization Controls: Confirm proper enforcement of access controls for queries and operations.

  • Evaluate Rate Limiting: Ensure the API handles excessive or malicious requests effectively.

  • Fuzz Mutations: Test for security and validation flaws in mutation operations.

Introspection Queries
Query All types in the Schema
?query={__schema{types{name}}}
Queries all fields defined under the Query type:
?query={__type(name:"Query"){fields{name,description}}}
Fetches the fields of the User type:
?query={__type(name:"User"){fields{name,type{name,kind},description}}}
Fetches details about args for each field of the User type:
?query={__type(name:"User"){fields{name,type{name,kind},description,args{name,type{name,kind}}}}}
Data Queries
Queries the actual user object for its username and password fields.
?query=query{user{username,password}}
curl commands
curl -X POST -H "Content-Type: application/json" -d '{"query":"YOUR_QUERY_HERE"}' http:///graphql

Last updated