GraphQL Resources for Penetration Testers

If you've been working on web application security testing for the last few years, then you’ve probably been aware of GraphQL appearing more frequently. It has slowly been taking over as the de facto standard from JSON RESTful interfaces.

Outside of my work with Escaped which I also spend part of my day as the CTO of a mobile development company. Over the last year or so nearly all of our new projects have utilized GraphQL backends and it is being requested by clients specifically now. Personally, I found it a little annoying at first but after working with it for a while I'm starting to get onboard and drink the Kool-Aid.

Reducing Your Backend Burden ;)

The framework puts the impetus for creating the types of queries needed for the application on the front-end/mobile developer.

They can query the endpoints in a rich way that means there’s not a constant chatter between back and front-end developers asking for an endpoint with a specific route that returns x or y data. Front-end now has control over that. This does, as with any framework designed to make life easier open up it for new forms of abuse.

When writing this article the leading GraphQL software provider appears to be Apollo GraphQL but just about anything coding language now seems to have its offering.

GraphQL in development environment offers a playground, which shows which queries (get) and mutations (set) are available, and lets you see the results. This again reduces the need for developer conversations.

Apollo Playground

GraphQL Resources

If you’re going to perform a security test on a GraphQL API for the first time, its a little bit of a leap from the Restful experience. Here's some resources that might be useful as prep for your test:

1. The Basics
graphql.org offers and nice walk through of some basic queries and mutations. Their learning section starts here. There is also a free YouTube video series which is geared more towards developers but the first few chapters are definitely worth a watch.

2. Playground
There's a very simple demo which can be found on nodal. This is a good place to start for a quick test drive of GraphQL if you're a complete newbie.

3. GraphQL IDE
Although the well know Postman IDE has GraphQL options, it did have a bit of a slow start. Most of the developers I know use insomnia. The core version should be fine for the basics.

4. Developer How-tos.
Before you start to understand how developers secure their API's, so you can break them, A couple of good articles are listed below:

5. Get Tooled Up 🔪
Most penetration testers I know use Burp Suite as default. There are several GraphQL extensions for burp.

Personal I’ve found GraphQL Raider the most useful.

This makes working with the endpoints a little less painful.

6. Find Those Vulnerabilities
Many of the GraphQL API's vulnerabilities are familiar attacks such as SQL injection.

We recently managed to bypass authentication using the classic 1=1 query in an authentication field.

There are some decent blog posts about which detail GraphQL specific vulnerabilities, a few are noted below:

If you have anything to comments or resources to add please contact us here

-- The Escaped Team --