Hello everyone, welcome to pentestguy. In this article, we will explore the detection of GraphQL endpoints during API penetration testing. By identifying these endpoints, security researchers can uncover potential vulnerabilities such as authorization issues and sensitive data exposure. We will discuss various techniques and tools that will help to do graphql detection.
The standard GraphQL endpoint is typically found at /graphql. However, it’s essential to consider that different organizations may use alternative endpoints. The following list provides additional endpoints worth investigating:
/graph
/gql
/api/graphql
/graphql/console
/graphql/explore
To exhaustively explore potential GraphQL endpoints, researchers should refer to the following resource: https://gist.github.com/pentestguy/25b307334c4ebe4a4e7faf92c4b27c63. Additionally, it is crucial to follow the advice from PortSwigger’s research, which recommends checking for subdomains that might contain GraphQL endpoints (e.g., api.example.com or graphql.example.com).
Graphw00f
graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint. To get started with graphw00f, clone the repository using the following command:
git clone https://github.com/dolevf/graphw00f.git
To obtain usage instructions or help, run:
python3 main.py -h
For instance, to run graphw00f against a target, assuming DVGA is installed via Docker, execute:
python3 main.py -f -d -t http://localhost:5013
Once a GraphQL endpoint is detected, it is crucial to thoroughly explore the attack surface to identify potential vulnerabilities. One way to achieve this is by following the link provided in the scan result. By visiting this link, researchers can examine the GraphQL endpoint in more detail.
Detection using Nmap
Nmap, a powerful network scanning tool, offers an effective way to detect GraphQL endpoints. By leveraging its NSE (Nmap Scripting Engine), the http-grep script can be used to search for specific responses indicative of GraphQL. The following command demonstrates the usage:
nmap -p 5013 -sV --script=http-grep --script-args='match="Must provide query string", http-grep.url="/graphql"' localhost
Researchers can modify the script by changing the match string and URL to tailor the detection to their specific needs. For example, match=”__typename” can be used to identify GraphQL endpoints.
Detecting GraphQL endpoints is a critical step in API penetration testing. By thoroughly investigating potential endpoints, employing tools like graphw00f, and leveraging the powerful capabilities of Nmap, security researchers can identify GraphQL vulnerabilities and help organizations fortify their APIs. Remember to share this article with your friends and colleagues to spread the knowledge.
Hope you enjoy this post, please drop your comments below if you are facing any issues. Now you can also collab with us please check our collaboration page, Thank you 🙂
