Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • Common Directories
  • Basic Operations - Queries
  • Fields
  • Arguments
  • Aliases
  • Fragments
  • Operation Names
  • Basic Operations - Mutations
  • Enumeration
  • SQL Injection
  • NoSQL Injection
  • References
  1. Pentest & Bug Bounty Resources and Techniques
  2. Web
  3. Injection

GraphQL

An open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data.

PreviousInjectionNextCross-Site Scripting (XSS)

Last updated 3 months ago

Common Directories

To identify exposed GraphQL instances, the inclusion of specific paths in directory brute force attacks is recommended. These paths are:

/graphql
/graphiql
/graphql.php
/graphql/console
/api
/api/graphql
/graphql/api
/graphql/graphql

Identifying open GraphQL instances allows for the examination of supported queries. This is crucial for understanding the data accessible through the endpoint. GraphQL's introspection system facilitates this by detailing the queries a schema supports. For more information on this, refer to the GraphQL documentation on introspection:

Basic Operations - Queries

We can fetch field information by sending queries.

query {
	__typename
}

Fields

To fetch a field object, send a query like the following.

query {
	user {
		name
		friends {
			name
		}
	}
}

Arguments

We can get the specific information by padding arguments (e.g. id) to fields.

query {
	user (id: "1") {
		name
	}
}

Aliases

We can set aliases each field to get multiple results in one request.

query {
	John: user (id: "1") {
		name
		age
	}
	Emma: user (id: "2") {
		name
		age
	}
}

Fragments

We can define arbitrary fragment that is be reusable when fetching each field.

query {
	firstUser: user (id: "1") {
		...userFields
	}
	secondUser: user (id: "2") {
		...userFields
	}
	
	fragment userFields on User {
		name
		age
		friends {
			name
		}
	}
}

Operation Names

We can define an operation name to make an operation less ambiguous. By setting a name, it makes it easier to understand at a glance what kind of operation.

query UserNameAndFriends {
	user {
		name
		friends {
			name
		}
	}
}

Variables

query UsrNameAndFriends($userId: ID) {
	user (id: $userId) {
		name
		friends {
			name
		}
	}
}

Directives

We can filter by passing a directive in fields.

  • include

Only include this field if the argument is true.

query UserNameAndFriends($userId: ID, $withFriends: Boolean!) {
	user(id: $userId) {
		name
		friends @include(if: $withFriends) {
			name
		}
	}
}

  • skip

Skip this field if the argument is true.

query UserNameAndFriends($userId: ID, $withFriends: Boolean!) {
	user(id: $userId) {
		name
		friends @skip(if: $withFriends) {
			name
		}
	}
}

Basic Operations - Mutations

We can modify fields with the mutation field.

mutation {
	__typename
}

To modify a field, execute like the following.

mutation CreateCommentForPost($postId: ID!, $comment: Comment!) {
	createComment(id: $postId, comment: $comment) {
		comment
	}
}

Enumeration

# List fields
query { __schema { types { name } } }
query { __schema { types { fields { name } } } }
query { __schema { types { fields { name description } } } }
query { __schema { types { name fields { name } } } }
query { __schema { types { name fields { name args { name description type { name kind ofType { name kind } } } } } } }

# Dump database schema
fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason }  possibleTypes { ...TypeRef }} fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } }} query IntrospectionQuery { __schema { queryType { name } mutationType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } }

# Dump specific field
query { getUsers { username, password } }

SQL Injection

{
	user (id: "1' UNION SELECT null,null-- -") {
		name
		password
	}
}

NoSQL Injection

References

We might be able to inject SQL somewhere e.g. arguments. Please refer to for more payloads.

We might be able to inject NoSQL somewhere e.g. arguments. Please refer to for more payloads.

GraphQL: A query language for APIs.
SQL Injection Cheat Sheet
NoSQL Injection
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection
https://graphql.org/learn/queries/
https://escape.tech/blog/pentest101/