Ultimate GraphQL Recon.
(thread)
(thread)
1. Fingerprint the API endpoint using graphw00f.
github.com
github.com
2. Check the results against the Threat Matrix.
github.com
github.com
3. If Introspection is Enabled => dump it into GraphQL Voyager.
ivangoncharov.github.io
ivangoncharov.github.io
4. Test each endpoint for OWASP Top 10 and other vulnerabilities.
5. If Introspection is Disabled => Bruteforce. Details below.
6. I've made a more in-depth video walkthrough that covers all steps.
Like, retweet, and follow me if you want to see more threads like this one.
#pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips @Nick_Aleks @dolevfarhi @nostarch
youtube.com
Like, retweet, and follow me if you want to see more threads like this one.
#pentesting #appsec #infosec #cybersecurity #hacking #bugbountytips @Nick_Aleks @dolevfarhi @nostarch
youtube.com
Loading suggestions...