GraphQL exploitation → 💶💶💶



  1. It is alternative to API standards like REST and SOAP
  2. It is an Query Language for API. It is used to interact and to fetch data from back-end.
  3. GraphQL are also written in JSON format.
  4. Unlike Rest API, GraphQL get all the data in a single request ( Check below Image)


  1. /graphql
  2. /graphiql
  3. /graphql.php or /graphql.php/debug=1
  4. /graphie/console/ → Online GQL IDE to interact with back-end
  1. GraphQL is enabled
  2. IDE is not enabled.

Introspection Query

  1. GraphQL is enabled
  2. IDE is not enabled
  3. Back-end system relations with the help of introspection





Security Analyst, Bug XS Community Leader

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MQTT with TLS client authentication on port 443 using Traefik v2 TLS Passthrough applied to…

Literals in Programming

Connecting Wacom Tablet with Mac OS Big Sur

Review: Kotlin Bootcamp for programmers by Google [2020] Udacity

Kubernetes Multi-Node Cluster with Multipass on Ubuntu 18.04 Desktop

How To Fix Alcatel Pop 8S Not Charging [Troubleshooting Guide]

Jenkins Jobs: hands-on for the different use cases [DevOps] *

Grouping List of Dictionaries By Specific Key(s) in Python

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Parth Shukla

Parth Shukla

Security Analyst, Bug XS Community Leader

More from Medium

“Tricking” our developers into liking application security

HigherLogic RCE In _VSTATE .NET

Let’s do a peek inside the admin’s dashboard: Abuse API endpoint

Gaining Unauthorized Camera Access via Safari UXSS — CVE-2021–30861, CVE-2021–30975