The Devils Playground - Hacking GraphQL - Part 2

GraphQL Security Tools

In Part 1 some basic GraphQL principle were covered. This section covers a couple of useful tools to use when security testing GraphQL API’s

Burp Suite

Just like any other web application test, acting as a proxy between the client and backend server is more than likely essential for understanding the application flow and business logic. And Burp Suite is most pen-testers choice for this task.

Initially when burp gets running between the client and the API, the GraphQL queries, mutations and subscriptions will in a disorganized post request body. An example is shown below.

This where an extension like GraphQL Raider might help.

The extension adds few tabs that make sending the GraphQL queries more manageable. The image below is from the repeater tab.

Schema File & Insomnia.

If your client can supply a schema file, or this can be downloaded from the target API's GraphQL playground it can be downloaded into an IDE so you can really explore what the API offers.

Insomnia is an IDE made for GraphQL and can import the .json schema files. This could also be chained to Burp if you wanted to combine the tools.

Join us in Part 3 (in progress) to start testing some specific vulnerabilities.

-- The Escaped Team --