The Devils Playground - Hacking GraphQL - Part 1

What is GraphQL

Over the last few years anyone working in the mobile application development space will have noticed that GraphQL has started to appear as the de facto backend API.

For many years restful API's have been the go-to developers wanting to connect their frontend applications to backend data. But the new kid in town is gaining popular and developer support.

GraphQL’s rise has also been a symbiotic relationship with the growth of React Native, which has been changing the landscape of mobile application development.

Facebook created GraphQL in 2012 and open sourced it, handing cover control to the GraphQL Foundation in 2015.

Why are developers turning to GraphQL?

1. Getting the data you want

Very simply put, it allows frontend developers to query for exactly what data they need.

Let's work through a basic example.

A mobile developer wants a list of usernames to display.


With a Restful the developer might call an endpoint such as /users which returns a list of user objects.

  "username": "robp",
  "registetedDate": "2019-4-3",
  "firstname": "rob",
  "lastname": "Pope",
  "contactNo": "14151234044",
  "accountNo": "12345678",

That's great, but all they needed was a list of usernames. Theres a lot of data that is uneeded and that will have to be sorted in the mobile application code.

GraphQL Query

With GraphQL the developer could query for the exact data they needed, the usernames:

query MyQuery {
  Users {

Would return:

  "data": {
    "Users": [
        "username": "RobP"
        "username": "SamA"

So as you can see there's a little more work on the frontend, but you can return the exact results you need.

With the GraphQL query language, we can query exactly what we need and describe exactly what attributes we want to get back in the response.

2. Schema & Playgrounds

Another advantage for developers is that GraphQL servers will deliver a schema which can then be placed into developer tools. With Restful API's the back-end developers often had to compile these in the code or separately.

Most GraphQL servers in development mode have a playground. As the name suggests, this allows developers to look at the database schema make queries and change data via mutations. If you want to take a look at a playground, nudge me on twitter we'll spin up a cloud image.

Web Playgrounds

Just out of interest we wondered how many developers had overwritten the standard best practice to only run playgrounds locally and placed them on the Internet.

We took a look using Shodan with a search of 'http.title:"graphql"' which returned the following:

A fairly unsophisticated search bought back 3,333 results. Browsing these sites is quickly became evident that some of these were API's for major household names which revealed their API schemes. We found quite a few with default passwords filled in ready for use!

In Part 2 we'll be looking at what tools are needed for GraphQL security testing and some common vulnererablites.

-- The Escaped Team --

® 2020 All Rights Reserved