search

2๏ธโƒฃGraphQL API

GraphQL pentesting focuses on identifying security vulnerabilities in applications that use GraphQL for data querying. Unlike REST APIs, GraphQL allows clients to request specific data, which can expose underlying issues if not properly secured. Key areas of concern include improper authorization checks, excessive data exposure, and insufficient input validation. Pentesters should look for flaws such as introspection queries revealing sensitive schema details, or complex queries leading to denial of service. Ensuring robust input validation, implementing strict authorization checks, and limiting query complexity are essential practices to secure GraphQL endpoints.

hashtag
Articles and Blog Posts

https://yeswehack.com/learn-bug-bounty/how-exploit-graphql-endpoint-bug-bountyyeswehack.comchevron-right
LogoGraphQL - HackTricksbook.hacktricks.xyzchevron-right
LogoFive easy ways to hack GraphQL targetsIntigritichevron-right

hashtag
GitHub Repositories and Resources

LogoPayloadsAllTheThings/GraphQL Injection/README.md at master ยท swisskyrepo/PayloadsAllTheThingsGitHubchevron-right
Logohackerone-reports/tops_by_bug_type/TOPGRAPHQL.md at master ยท reddelexc/hackerone-reportsGitHubchevron-right
LogoGitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema even if the introspection is disabledGitHubchevron-right
LogoGitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHubchevron-right
LogoGitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)GitHubchevron-right
LogoGitHub - dolevf/Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security.GitHubchevron-right

hashtag
Cheat Sheets and Guides

LogoGraphQLโ€Šโ€”โ€ŠCommon vulnerabilities & how to exploit themMediumchevron-right
LogoGraphQL Vulnerabilities | Application Security Cheat Sheet0xn3va.gitbook.iochevron-right
LogoGraphQL API vulnerabilities | Web Security AcademyWebSecAcademychevron-right
https://anugrahsr.in/graphql-pentesting-for-dummies_part1/anugrahsr.inchevron-right
https://anugrahsr.in/graphql-pentesting-for-dummies-part-2/anugrahsr.inchevron-right

hashtag
Videos

hashtag
Social Media Posts

hashtag
Books

LogoBlack Hat GraphQL: Attacking Next Generation APIsAmazon.comchevron-right
PreviousWordpressNextIDOR Vulnerability

Last updated