My slides for understanding Pentesting for GraphQL Applications. I presented this content at c0c0n and bSides Delhi 2018. Also contains details of my Burp Extension for GraphQL parsing and scanning located here https://github.com/br3akp0int/GQLParser
4. Rest
❑Data intensive per end point
❑Multiple API end points needed
❑Leads to Over fetching or Under
fetching
GraphQL
❑Flexible for rapid product iterations on
the front end
❑Designs can change and won’t affect API
❑Fine grained
❑Low level performance monitoring
❑Strong schema and types
❑Easy structuring of requests between
client and server
4
5. ❑Started 2011: Facebook
❑ Lee Byron, Nick Schrock
❑Usage
❑Made public in 2015
❑multiple interior endpoints to
a single forward facing
endpoint.
❑Vast Language support
❑Data Intensive Platforms
5
8. 8
type Query {
hero: Character
}
type Character {
id: ID!
name: String
friends: [Character]
homeWorld: Planet
species: Species
}
type Planet {
name: String
climate: String
}
type Species {
name: String
lifespan: Int
origin: Planet
}
Schema
21. ▪ Queries
❑Adding privileged
parameters, id values, key,
tokens to input params
❑Fetch more with unused
output params
▪ Mutations
❑Try to change by replacing:
❑Relevant change parameters,
❑Look for any that define
permissions, context, etc
❑Amount : fetch more than
defaults
21
23. 23
▪ /graphql
▪ /graphqlBatch
▪ /graphql.php
▪ /graphiql
▪ /graphql/console/
▪ /graphql.php?debug=
1
▪ Try other Ports for
interactive GQL
Paths
▪ Schema based model
enumeration: Fetching
sensitive attributes
▪ Introspection :
__schema
▪ Deprecated Nodes
▪ Crucial Attributes of
an Object
▪ Data, links in
description
Schema
Fetch All: Look For
Cumulative
Objects, group,
collections, etc to
get a list of all
Entity
30. 30
{
"scripts": {
"postbuild": "persistgraphql src
api/query-whitelist.json"
}
}
import depthLimit from 'graphql-depth-limit'
import graphqlHTTP from 'express-graphql’
app.use('/graphql', graphqlHTTP((req, res) =>
({
schema,
validationRules: [ depthLimit(10) ]
})))
Persistgraphql
D
E
P
T
H
L
I
M
I
T
38. ▪ Extension Detects, Parses
GraphQL data
▪ Dynamic Input Fields presented
for testing and editing
▪ Integrates with Scanner for full
coverage
▪ Reduces noise
▪ https://github.com/br3akp0int/
GQLParser
38