Week 15 - GraphQL Introspection

PreviousWeek 14 - Algolia API Keys NextWeek 16 - Naming BurpSuite Repeater Tabs

Last updated 2 years ago

GraphQL Introspection

This week’s post covers GraphQL hacking. The first thing I check with GraphQL endpoints is if Introspection is enabled. Introspection allows you to map out the contents of the GraphQL API schema. In plain English, this means you can see all the different queries and mutations the endpoint allows along with what data you can retrieve with those queries. To issue an introspection query, send the below POST data in an HTTP request to the ‘/graphql’ endpoint:

{“query”: “query introspection_query{ {__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}}”}

Then copy the server response and paste it into GraphQL Voyager (if you copy straight from BurpSuite, don’t forget to remove the server response headers). This will allow you to graphically display the entire API schema, assuming the endpoint has Introspection enabled. If it's not enabled, you'll receive an access error. Now assuming you have successfully mapped out the schema in GraphQL Voyager, you’re probably thinking… now what? I remember my first time looking at the results and having no idea what to do with them. So assuming the below photo is our GraphQL Voyager output, you can retrieve info by using the following example POST data:

{“query”: “query random_name{ film { title   releaseDate    director  characterConnection { characterID characterName  }   }  }”}

You can see we work from the root query ‘film’, then specify either a variable existing within the ‘Film’ object or a separate object to access (which in this case is ‘characterConnection’). Each separate object contains other variables. So you can play around with starting from the root query and digging into variables existing within connected objects down the line.

If GraphQL Introspection is disabled, use clairvoyance to recreate it through bruteforcing (the hacking tool that is, not the supernatural power of seeing the future :p)

GraphQL Introspection

{“query”: “query introspection_query{ {__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}}”}

{“query”: “query random_name{ film { title   releaseDate    director  characterConnection { characterID characterName  }   }  }”}

If GraphQL Introspection is disabled, use clairvoyance to recreate it through bruteforcing (the hacking tool that is, not the supernatural power of seeing the future :p)