Practical GraphQL Scanning: Modern API Attack Surface Under the Microscope

GraphQL APIs offer flexibility and efficiency — but that same flexibility often introduces security blind spots.

Unlike traditional REST, GraphQL exposes an entire query language to the client — and thus to attackers.

This post walks through a practical GraphQL security testing workflow using Burp Suite + community tools, with a focus on precision, stealth, and clarity.

1. Reconnaissance: Is It GraphQL?

Look for signs like:

• Endpoints like /graphql, /api/graphql, /gql
• Content-Type: application/json
• POST requests with query fields in body

Example:

{
  "query": "{ __typename }"
}

A successful response with HTTP 200 and a "data" field confirms GraphQL is live.

2. Introspection Enabled?

Send the classic introspection query:

{
  "query": "{ __schema { types { name } } }"
}

If enabled, it reveals the full schema — including queries, mutations, and types.

You can also use tools like:

python3 graphql-introspection.py -u https://target.com/graphql

Or Burp extension: GraphQL Raider

3. Use Burp GraphQL Raider Extension

Install via:

Burp → BApp Store → GraphQL Raider

Capabilities:

• Visual query builder
• Introspection analysis
• Auto fuzzing
• Token replacement

Send any GraphQL POST to Repeater → "Send to GraphQL Raider"

4. Attack Vectors

Now that you understand the schema, focus on key attack classes:

① Excessive Data Exposure

query {
  users {
    id
    email
    passwordHash
  }
}

② Broken Access Control

Try sending the same query as a different role or unauthenticated.

Check if sensitive objects are still returned.

③ Injection Attacks

While SQL injection is rare in well-configured resolvers, try:

query {
  search(term: "\" OR \"1\"=\"1")
}

Also test for:

• NoSQLi (Mongo-style payloads)
• SSTI (in template-powered GraphQL backends)

④ Denial of Service (DoS)

Use deeply nested recursive queries:

query {
  a { a { a { a { a { a } } } } }
}

Some servers crash or timeout.

5. Automated Scanning (Optional)

GraphQL endpoints can be integrated into active scanning tools, but be cautious with rate-limiting and introspection-heavy payloads.

Recommended:

• Manual + Raider for schema-aware fuzzing
• Intruder for token/session tests
• Passive detection of disclosure/misconfig

6. Defensive Tips (Bonus)

If you're defending a GraphQL API:

• Disable introspection in production
• Apply query depth and complexity limiting
• Enforce RBAC on fields, not just endpoints
• Log and rate-limit abusive patterns

Final Notes

GraphQL flips the security model: the client controls the query shape.

This demands fine-grained testing, schema awareness, and thoughtful payload design.

In upcoming posts:

• Bypassing depth limits
• Field-level access control fuzzing
• Using GraphQL Voyager for visualization and mapping

Understand the graph. Map the logic. Exploit the edges.