This is a mindmap using the xmind app for a visual walkthrough and checklist for GraphQL testing. Xmind is a free app with paid addons but it is completely usable in the free form. You can get your copy here. https://xmind.app/
A lot of the ideas/material is condendsed information from the great resource book Black Hat GraphQL (2023) by Dolev Farhi, Nick Aleks @dolevf @nicholasaleks
You can find the book here or when it shows up in humble bundles. https://nostarch.com/black-hat-graphql
They have a github companion to the book with a lot of tools, resources and information which is super helpful. Give it a star and follow here https://github.com/dolevf/Black-Hat-GraphQL
This mindmap is a work in progress as I go through the book and encounter GraphQL API's in pentests. I'll update with more content and revisions as I further my understanding.
To get the most out of this mindmap it's recommended you download the mindmap file. Then you can
- copy n paste queries and cmds included
- goto links for tools
- add your own content
- edit the mindmap visually to your personal satisfaction
- rearrange the order of the flow
- Starting with the mindset to find GraphQL api's
- First queries to identify
- type of API running
- if introspection is enabled
- what queries, mutations and subscriptions are available
- deeper details on info above
- Mapping the API
- Then testing for vulnerabilities.
Hopefully this will help you develop a workflow for testing GraphQL for vulnerabilities. Pentests can be overwhelming when the scope is big. API's can be overwhelming when there are a lot of endpoints and all the pieces are connected in various ways. This should help you
- stay focused
- work through a checklist
- keep things visually understandable
- check things are not missed or overlooked.
So happy hacking!
