Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4051: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-08-25 07:48:03 +00:00 committed by gitbook-bot
parent 795473bccc
commit 3d9ea66965
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
network-services-pentesting/pentesting-web/graphql.md
View file

@ -393,6 +393,8 @@ More and more **graphql endpoints are disabling introspection**. However, the er
Moreover, the Burp Suite extension [**GraphQuail**](https://github.com/forcesunseen/graphquail) extension **observes GraphQL API requests going through Burp** and **builds** an internal GraphQL **schema** with each new query it sees. It can also expose the schema for GraphiQL and Voyager. The extension returns a fake response when it receives an introspection query. As a result, GraphQuail shows all queries, arguments, and fields available for use within the API. For more info [**check this**](https://blog.forcesunseen.com/graphql-security-testing-without-a-schema).
A nice **wordlist** to discover [**GraphQL entities can be found here**](https://github.com/Escape-Technologies/graphql-wordlist?).
### Bypassing GraphQL introspection defences <a href="#bypassing-graphql-introspection-defences" id="bypassing-graphql-introspection-defences"></a>
If you cannot get introspection queries to run for the API you are testing, try inserting a **special character after the `__schema` keyword**.