GraphQL has emerged as a revolutionary data query and manipulation language for APIs, driving efficiency and precision in data retrieval. It has become the technology of choice for modern web applications due to its ability to fetch exactly what’s needed, avoiding the over-fetching or under-fetching issues commonly associated with RESTful APIs.
Its powerful querying capabilities enable developers to create fast and flexible APIs, addressing the diverse needs of today’s dynamic front-ends. As such, mastering GraphQL has become an indispensable skill for any API hacker seeking to stay at the forefront of modern API security testing.
Don’t worry… I’ll eventually be adding it to my guide on how to get started as an API hacker.
As lifelong learners, we always need to stay on top of things. Understanding GraphQL from a hacking perspective is no different.
So, let me show you five ways you can improve your GraphQL hacking skills.
#1 – Read the book about it
The first thing you should do is pick up Black Hat GraphQL: Attacking Next Generation APIs. This book was written for hackers by hackers, with a focus on attacking GraphQL APIs. It’s filled with practical examples and real-world scenarios that will give you a solid understanding of the underlying technology and potential vulnerabilities to look for in your offensive security testing.
It is an indispensable resource for those delving into GraphQL hacking. The authors approach the subject with impressive depth and clarity, making it accessible for hackers at all skill levels. What sets this book apart is its practical emphasis, providing real-world scenarios and examples illuminating the potential vulnerabilities in GraphQL APIs.
Despite its technical subject matter, the book maintains a smooth, engaging narrative, making complex concepts digestible. In fact, this guide does not merely present information – it offers the reader an immersive exploration of GraphQL hacking, stoking curiosity and inspiring further learning.
The book’s focus on attack techniques provides a unique perspective that’s incredibly beneficial for security testers, making it a must-read for anyone aiming to excel in modern API security testing.
#2 – Practice your tradecraft on a vulnerable target
Get your hands on the Damn Vulnerable GraphQL Application (DVGA).
DVGA is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing you to test for vulnerabilities. It offers your own cyber range, where you can safely try new tools and techniques without fretting about screwing something up.
Install it locally using Docker so you can practice offline and revert if necessary. The codebase is filled with vulnerabilities typically found in real-world applications, making it a great way to practice your tradecraft in preparation for tackling real projects.
If you need some help, consider reading Zero Day Hacker’s DVGA walkthrough. Edward provides a great step-by-step guide to installing, running, and attacking DVGA.
#3 – Learn to use the right tools
There are several tools designed for GraphQL hacking that you should learn to use. Once DVGA is running, you can practice using these tools on a vulnerable target.
Graphw00f is a powerful tool designed to help pentest GraphQL-based applications. It automates the process of fingerprinting GQL endpoints, sending a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes.
It also has built-in support for the DVGA, making it a perfect tool to use alongside your practice sessions. Take time to familiarize yourself with graphw00f and learn how to leverage its capabilities in your API security testing workflow.
If you don’t know what “introspection” is, it’s a feature that exposes a convenient way to share details about itself with other developers or consumers of the GraphQL instance. When introspection is enabled, a single query can retrieve the entire GraphQL schema.
If we can query that, it provides a significant advantage to us.
To use the NSE in Nmap, we can use a command line like this (changing the IP accordingly of course):
$ nmap --script=graphql-introspection -sV 127.0.0.1 -p 5013
You know how Postman is an awesome client for interacting directly with REST APIs. Well, Altair is the client to use to interact with GraphQL in much the same manner. It helps you debug GraphQL queries and implementations – taking care of the hard part so you can focus on actually getting things done.
While Altair is nice to interact with GraphQL, it sometimes will bring back too much data for us to parse easily. It makes it extremely hard to visualize how all the data may relate.
This is where GraphQL Voyager comes in. It’s an interactive graph visualization tool that helps you make sense of your GraphQL schema structure. With it, you can easily see how multiple entities in a schema relate to each other, making it easier to understand and develop efficient queries.
Hey, it wouldn’t be me if I didn’t recommend SOMETHING that lets you hack at an API through Burp Suite.
Get InQL, the GraphQL scanner. It’s a Burp extension that allows you to scan for GraphQL endpoints passively and provides a GUI interface for constructing queries. It even lets you use the introspection feature mentioned earlier, which is crucial when testing GraphQL APIs.
The authors even have a decent starting page to check out how to best use the extension.
#4 – Catch up with the HackTricks wiki
The longer you work in offensive security testing, the more you will come across Carlos Polop’s wiki. He is constantly updating it with tips & tricks he has come across during his own hacking journey.
He doesn’t write all the content. A lot of content he finds from other resources all over the web. Heck, you’ve probably come across my own content archived and linked there. (Thanks for that, Carlos.)
Of course, he has a decent Wiki page on hacking GraphQL. Take advantage of his index on the right side to quickly find the info you need. Bookmark the page. You’ll be glad that you did.
#5 – Read up on real-world GraphQL vulnerabilities
One way to level up your hacking skills is to learn from other people’s experiences. I’m a big fan of browsing through HackerOne’s Hacktivity feed and BugCrowd’s CrowdStream to find writeups of past vulnerabilities that are disclosed.
HackerOne has a unique perspective in that they let you search through all the submissions.
Head over to https://hackerone.com/hacktivity/overview and search for “graphql”. You can filter by “disclosed” items to give you the opportunity to read the submissions of past findings. You can then read each submission and learn how other hackers are approaching the problem and how they go about reporting it.
GraphQL is gaining popularity in web development, and with that comes the need for security testing. By familiarizing yourself with this technology and learning from others’ experiences, you can improve your hacking skills and become a well-rounded security researcher.
I hope these resources are helpful to you. Make sure you not only read all the content but also apply it. Practice. And then practice some more.
Then go forth and hack hard! Good luck! 🎉
One last thing…
Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe at https://apihacker.blog.