GraphQL

Enumerating GraphQL

When performing reconaissance, ensure the following paths are in your wordlist:

/v1/explorer
/v1/graphiql
/graph
/graphql
/graphql/console/
/graphql.php
/graphiql
/graphiql.php

After identifying a GraphQL endpointl, the next step is to submit an introspection query to discover what queries it supports:

{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

This query can be submitted in a POST request using Burp Suite, the following screenshot demonstrates:

If Introspection is disabled, then you will need to manually test for valid querie. The following tools can be leveraged as well as Burp Suite's Intruder: