Support
Scanning APIs

Scanning a GraphQL API for vulnerabilities

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Invicti scans GraphQL based application programming interfaces (APIs).

GraphQL-developed by Facebook in 2012 and released in 2015- is a query language for APIs. The query language makes it easier and quicker to get data from a server to a client via an API call.

  • GraphQL is designed to prioritize providing clients exactly the data they request. This prioritization, therefore, prevents large amounts of data from being returned.
  • It lets you make more complicated queries that reduce the number of API requests that must be made.
  • All input data is type-checked against a schema defined by the developer, assisting with data validation.

Despite built-in validation and type-checking, GraphQL has its security shortcomings that attackers can exploit to access sensitive data. Invicti can scan GraphQL to identify vulnerabilities. For further information about GraphQL and its attack vectors, see our blog on Introduction to GraphQL API security.

This topic explains how to import a GraphQL schema and scan your web application to identify vulnerabilities in GraphQL. Invicti can also discover your GraphQL endpoints and libraries. For further information, see GraphQL Library Detection.

Invicti Enterprise On-Demand and Invicti Standard can automatically discover and attack GraphQL schemas and introspections during scans. So, even if you do not import your GraphQL schema, Invicti is able to discover it and stage attacks to identify vulnerabilities.

Key concepts in GraphQL

This is a list of key concepts in GraphQL.

Concept

Description

Schema

A GraphQL schema is at the heart of any GraphQL server implementation. The schema describes the functionality available to the clients which connect to it.

Mutation

A GraphQL operation that creates, modifies, or destroys data.

Introspection

A special query that enables clients and tools to fetch a GraphQL server’s complete schema. 

Query

A read-only fetch operation to request data from a GraphQL service.

Scanning a GraphQL API for vulnerabilities

Invicti supports the scanning of GraphQL-based APIs, leveraging the web application’s existing security checks. To scan, you must import the GraphQL Schema to Invicti. Then, Invicti will start attacking to identify the following vulnerabilities:

So, there are two ways to import a GraphQL Schema. Each is outlined as the following sections:

Importing the GraphQL schema from the file to Invicti 

How to import GraphQL Schema from the file in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From File section, select GraphQL Schema/Introspection.
  1. From the Add an URL dialog, enter the URL that has the GraphQL endpoints. Select OK.
  2. From the opened window, select the schema file. Then, select Open.
  3. Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
  1. Select Launch to start scanning.
How to import GraphQL Schema from the file in Invicti Standard
  1. Open Invicti Standard.
  2. From the ribbon, select New.
  3. From the Start a New Website or Web Service Scan dialog, select Links/API Definitions > GraphQL Schema/Introspection.
  1. On the GraphQL Schema/Introspection Import dialog, enter the URL that has the GraphQL endpoints. Select OK.
  1. From the Import Links window, select the schema file. Then, select Open.
  2. Once the scanner imports all the schema you can see them in the list of Imported Links as seen in the screenshot.
  1. Select Start Scan.

Importing the GraphQL schema from the URL to Invicti 

How to import GraphQL Schema from the URL in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings section, select Links/API Definitions.
  4. From the From URL section, select GraphQL Schema/Introspection.
  1. From the Add an URL dialog, enter the GraphQL Endpoint URL. If necessary, select the Enable Custom Introspection Query to customize the query.
  1. Select OK to import the definition file from the URL to Invicti.
  1. Select Launch to start scanning.
How to import GraphQL Schema from the URL in Invicti Standard
  1. Open Invicti Standard.
  2. From the ribbon, select New.
  3. From the Start a New Website or Web Service Scan dialog, select Links/API Definitions GraphQL Introspection.
  1. From the Import GraphQL Introspection, enter the GraphQL Endpoint URL. If necessary, select the Enable Custom Introspection Query to customize the query.
  1. Select OK to import the definition file from the URL to Invicti.
  1. Select Start Scan.