GraphQL exploitation → 💶💶💶


As we recognize GraphQL became initially advanced and used by Facebook as an internal query language and so the capabilities of GraphQL on the whole revolve around internal and improvement regions. GraphQL executes queries that uses type system with the data described. An important however often left out characteristic of GraphQL is the potential to invite GraphQL schema about the supported queries with the help of Introspection System.


  1. It is alternative to API standards like REST and SOAP
  2. It is an Query Language for API. It is used to interact and to fetch data from back-end.
  3. GraphQL are also written in JSON format.
  4. Unlike Rest API, GraphQL get all the data in a single request ( Check below Image)


Lets us consider the target is Now there are many GraphQL endpoints. Thus, I suggest you to add this in your fuzzing list. Moreover, burp-suite will help you out with graphql endpoints. Some of the endpoints are:

  1. /graphiql
  2. /graphql.php or /graphql.php/debug=1
  3. /graphie/console/ → Online GQL IDE to interact with back-end
  1. IDE is not enabled.

Introspection Query

Now, what does introspection query really do?

  1. IDE is not enabled
  2. Back-end system relations with the help of introspection


What are GraphQL mutation queries used for?



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Parth Shukla

Parth Shukla

Security Analyst, Bug XS Community Leader