Practical GraphQL Scanning: Modern API Attack Surface Under the Microscope

GraphQL APIs offer flexibility and efficiency — but that same flexibility often introduces security blind spots. Unlike traditional REST, GraphQL exposes an entire query language to the client — and thus to attackers. This post walks through a practical GraphQL security testing workflow using Burp Suite + community tools, with a focus on precision, stealth, and clarity. 1. Reconnaissance: Is It GraphQL? Look for signs like: Endpoints like /graphql, /api/graphql, /gql Content-Type: application/json POST requests with query fields in body Example: { "query": "{ typename }" } A successful response with HTTP 200 and a "data" field confirms GraphQL is live. 2. Introspection Enabled? Send the classic introspection query: { "query": "{ schema { types { name } } }" } If enabled, it reveals the full schema — including queries, mutations, and types. You can also use tools like: python3 graphql-introspection.py -u https://target.com/graphql Or Burp extension: GraphQL Raider 3. Use Burp GraphQL Raider Extension Install via: Burp → BApp Store → GraphQL Raider Capabilities: Visual query builder Introspection analysis Auto fuzzing Token replacement Send any GraphQL POST to Repeater → "Send to GraphQL Raider" 4. Attack Vectors Now that you understand the schema, focus on key attack classes: ① Excessive Data Exposure query { users { id email passwordHash } } ② Broken Access Control Try sending the same query as a different role or unauthenticated. Check if sensitive objects are still returned. ③ Injection Attacks While SQL injection is rare in well-configured resolvers, try: query { search(term: "\" OR \"1\"=\"1") } Also test for: NoSQLi (Mongo-style payloads) SSTI (in template-powered GraphQL backends) ④ Denial of Service (DoS) Use deeply nested recursive queries: query { a { a { a { a { a { a } } } } } } Some servers crash or timeout. 5. Automated Scanning (Optional) GraphQL endpoints can be integrated into active scanning tools, but be cautious with rate-limiting and introspection-heavy payloads. Recommended: Manual + Raider for schema-aware fuzzing Intruder for token/session tests Passive detection of disclosure/misconfig 6. Defensive Tips (Bonus) If you're defending a GraphQL API: Disable introspection in production Apply query depth and complexity limiting Enforce RBAC on fields, not just endpoints Log and rate-limit abusive patterns Final Notes GraphQL flips the security model: the client controls the query shape. This demands fine-grained testing, schema awareness, and thoughtful payload design. In upcoming posts: Bypassing depth limits Field-level access control fuzzing Using GraphQL Voyager for visualization and mapping Understand the graph. Map the logic. Exploit the edges.

Mar 30, 2025 - 13:49

Practical GraphQL Scanning: Modern API Attack Surface Under the Microscope

GraphQL APIs offer flexibility and efficiency — but that same flexibility often introduces security blind spots.

Unlike traditional REST, GraphQL exposes an entire query language to the client — and thus to attackers.

This post walks through a practical GraphQL security testing workflow using Burp Suite + community tools, with a focus on precision, stealth, and clarity.

1. Reconnaissance: Is It GraphQL?

Look for signs like:

Endpoints like /graphql, /api/graphql, /gql
Content-Type: application/json
POST requests with query fields in body

Example:

{
  "query": "{ __typename }"
}

A successful response with HTTP 200 and a "data" field confirms GraphQL is live.

2. Introspection Enabled?

Send the classic introspection query:

{
  "query": "{ __schema { types { name } } }"
}

If enabled, it reveals the full schema — including queries, mutations, and types.

You can also use tools like:

python3 graphql-introspection.py -u https://target.com/graphql

Or Burp extension: GraphQL Raider

3. Use Burp GraphQL Raider Extension

Install via:

Burp → BApp Store → GraphQL Raider

Capabilities:

Visual query builder
Introspection analysis
Auto fuzzing
Token replacement

Send any GraphQL POST to Repeater → "Send to GraphQL Raider"

4. Attack Vectors

Now that you understand the schema, focus on key attack classes:

① Excessive Data Exposure

query {
  users {
    id
    email
    passwordHash
  }
}

② Broken Access Control

Try sending the same query as a different role or unauthenticated.

Check if sensitive objects are still returned.

③ Injection Attacks

While SQL injection is rare in well-configured resolvers, try:

query {
  search(term: "\" OR \"1\"=\"1")
}

Also test for:

NoSQLi (Mongo-style payloads)
SSTI (in template-powered GraphQL backends)

④ Denial of Service (DoS)

Use deeply nested recursive queries:

query {
  a { a { a { a { a { a } } } } }
}

Some servers crash or timeout.

5. Automated Scanning (Optional)

GraphQL endpoints can be integrated into active scanning tools, but be cautious with rate-limiting and introspection-heavy payloads.

Recommended:

Manual + Raider for schema-aware fuzzing
Intruder for token/session tests
Passive detection of disclosure/misconfig

6. Defensive Tips (Bonus)

If you're defending a GraphQL API:

Disable introspection in production
Apply query depth and complexity limiting
Enforce RBAC on fields, not just endpoints
Log and rate-limit abusive patterns

Final Notes

GraphQL flips the security model: the client controls the query shape.

This demands fine-grained testing, schema awareness, and thoughtful payload design.

In upcoming posts:

Bypassing depth limits
Field-level access control fuzzing
Using GraphQL Voyager for visualization and mapping

Understand the graph. Map the logic. Exploit the edges.