Introspection.MD

• Use this snippet here: introspection-query.graphql

• If introspection is disabled, use clairvoyance

  • Development Subdomains:
    • Often, GraphQL introspection is enabled on development, staging, or UAT subdomains where strict security measures might not be fully implemented. These environments can be easier targets for schema enumeration.
  • Clairvoyancex Tool:

    • Usage: Use custom wordlists and proxy through tools like Burp Suite to intercept and modify requests. Example command:

      python3 -m clairvoyancex -vv -o schema411.json -w google-10000-english.txt https://example.com/api/graphql -t 100

      • vv: Verbose mode for detailed output.
      • o schema411.json: Output file to save the enumerated schema in JSON format.
      • w google-10000-english.txt: Custom wordlist to use for query guessing.
      • t 100: Timeout set to 100 seconds per request to manage response times.

• JS/App Analysis:

  • Reverse Engineering: Analyze JavaScript code or mobile app binaries to understand how queries and mutations are structured and used. This approach can reveal GraphQL endpoints, parameters, and potential vulnerabilities.

• Basic Security Testing:

  • Explore Bug Classes: Apply common security testing techniques such as IDOR (Insecure Direct Object Reference), SQL Injection (SQLi), File Disclosure, SSRF (Server-Side Request Forgery), and RCE (Remote Code Execution) specifically adapted for GraphQL endpoints. These vulnerabilities can sometimes be discovered even without explicit enumeration.