Bypassing GraphQL introspection defenses

Methods to Bypass

  • Try inserting a special character after the __schema keyword.

  • Try characters like spaces, new lines and commas, as they are ignored by GraphQL but not by flawed regex.

  • if the developer has only excluded __schema{, then the below introspection query would not be excluded.

 #Introspection query with newline

    {
        "query": "query{__schema
        {queryType{name}}}"
    }

  • Try a GET request, or a POST request with a content-type of x-www-form-urlencoded.

  • The example below shows an introspection probe sent via GET, with URL-encoded parameters.

    # Introspection probe as GET request

    GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D

PreviousLab: Accidental exposure of private GraphQL fieldsNextLab: Finding a hidden GraphQL endpoint

Last updated