2

I am working with a team who is developing a mobile app for which they are using GraphQL.

So as part of performing security testing it, they only shared the graphql endpoint and nothing else.

Not even the app UI nor any credentials.

Based on my basic understanding of GraphQL I was able to get the schema and see some of the queries and their responses.

But I am unable to understand what kind of security checks can be performed on the graphql endpoint without any other details apart from the endpoint URL itself.

Just wanted to know is there something that I am missing here and is it safe to say that security testing cannot be performed without looking at the App UI and having a basic credentials.

Please help.

Thank you.

Improve this question
3
  • You would normally need credentials unless you are only performing unauthenticated security testing. As for the app UI, it is not required if you are only testing the GraphQL API
    – rink.attendant.6
    Commented Oct 28, 2020 at 15:18
  • Hi @rink.attendant.6 , can you let me know what kind of checks can be performed just with just GraphQL API. I mean, to run some queries we need some valid parameters to see the actual output. In our case, those data was not given. It would be great if you can point me to any resource. Thanks
    – Sai Dutt Mekala
    Commented Oct 29, 2020 at 5:56
  • 2
    github.com/doyensec/inql
    – atdre
    Commented Nov 19, 2020 at 16:18

1 Answer 1

Reset to default
1

The fact that you can run a schema query is a first red flag, especially if this is a production environment endpoint.

Being able to run schema queries gives an attacker everything they need to explore the API, and if there are any API methods/queries/mutations that can be misused then the schema query will make it easier for them to find any potential weaknesses.

Once you can run a graphql schema query, the next step is to look for queries/methods that can be misused by an attacker, and then go from there.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .