1. Fingerprinting the API:

• Identify GraphQL endpoints through brute-forcing or directory enumeration:
  • /graphql
  • /graphiql
  • /graphql.php
  • /api
  • /graphql/console
  • /graphql/api
• Tools:
  • Use graphw00f to detect the GraphQL engine (Apollo, Graphcool, etc.).

2. Schema Introspection:

• Check if the GraphQL introspection query is enabled. This can reveal the entire schema, types, and operations.
• Tools:
  • Use graphql-voyager to visualize the schema if introspection is enabled.

Payload:

graphql
Copy code
{
  __schema {
    types {
      name
      fields {
        name
      }
    }
  }
}

3. Check for Unauthenticated Access:

• Test if sensitive data can be queried without authentication.
• Examples:
  • Query user information.
  • Access admin-level operations.

4. Test for Batching Attacks:

• GraphQL allows batching multiple queries in one request. This can be exploited for data exfiltration or bypassing rate limits.

Payload:

json
Copy code
[
  {"query": "{ users { id name email } }"},
  {"query": "{ orders { id product price } }"}
]

5. Check for Authorization Bypass:

• Even if authentication is implemented, test if authorization checks are missing for certain queries or mutations (e.g., accessing/modifying other users' data).

Steps:

• Attempt to query or mutate resources owned by other users (using different user IDs or object identifiers).