# Week 15 - GraphQL Introspection ## GraphQL Introspection \ This week’s post covers GraphQL hacking. The first thing I check with GraphQL endpoints is if Introspection is enabled. Introspection allows you to map out the contents of the GraphQL API schema. In plain English, this means you can see all the different queries and mutations the endpoint allows along with what data you can retrieve with those queries. To issue an introspection query, send the below POST data in an HTTP request to the ‘/graphql’ endpoint:\ \ `{“query”: “query introspection_query{ {__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}}”}`\ \ Then copy the server response and paste it into GraphQL Voyager (if you copy straight from BurpSuite, don’t forget to remove the server response headers). This will allow you to graphically display the entire API schema, assuming the endpoint has Introspection enabled. If it's not enabled, you'll receive an access error.\ \ Now assuming you have successfully mapped out the schema in GraphQL Voyager, you’re probably thinking… now what? I remember my first time looking at the results and having no idea what to do with them. So assuming the below photo is our GraphQL Voyager output, you can retrieve info by using the following example POST data:\ \ `{“query”: “query random_name{ film { title releaseDate director characterConnection { characterID characterName } } }”}`\ \ You can see we work from the root query ‘film’, then specify either a variable existing within the ‘Film’ object or a separate object to access (which in this case is ‘characterConnection’). Each separate object contains other variables. So you can play around with starting from the root query and digging into variables existing within connected objects down the line.\ {% hint style="info" %} If GraphQL Introspection is disabled, use clairvoyance to recreate it through bruteforcing (the hacking tool that is, not the supernatural power of seeing the future :p) {% endhint %} ![SRC: https://infosecwriteups.com/graphql-voyager-as-a-tool-for-security-testing-86d3c634bcd9](/files/dwJepqAlVqLTfjcPHpua) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.webhackingtips.com/weekly-tips/week-15-graphql-introspection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.