hunt-graphql

## Crown Jewel Targets GraphQL vulnerabilities are high-value because the attack surface is both broad and deep — a single endpoint can expose entire data models, privilege escalation paths, and cross-API state confusion. Highest payouts occur in: - **Platform APIs** (GitHub, Shopify, Stripe-tier targets) where GraphQL mutations interact with REST APIs managing the same resources - **Race conditions between GraphQL mutations and REST endpoints** where state synchronization is non-atomic — these hit medium-to-high severity reliably - **Authorization persistence bugs** where team/org/repo membership state is controlled by one API but readable/writable by another - **B2B SaaS platforms** where one tenant affecting another via schema traversal = critical - **Internal admin GraphQL endpoints** accidentally exposed to lower-privilege users The GitHub reports demonstrate the crown jewel pattern: **privilege that should be revoked persists because two APIs disagree on ground truth**. --- ## Attack Surface Signals **URL Patterns:** ``` /graphql /api/graphql /v1/graphql /query /gql /graph /api/v2/graphql /internal/graphql ``` **Response Headers:** ``` Content-Type: application/json (with query body) X-Request-Id + no REST-style path params = likely GraphQL ``` **JavaScript Source Patterns:** ```js // grep for these in JS bundles "query {" "mutation {" "__typename" "apollo" "ApolloClient" "graphql-tag" "gql`" "operationName" "GRAPHQL_URI" ``` **Tech Stack Signals:** - Apollo S...