performing-graphql-introspection-attack

Featured

Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing.

API & Backend 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing GraphQL Introspection Attack ## When to Use - Testing GraphQL endpoints for exposed introspection that reveals the complete API schema - Mapping the attack surface of a GraphQL API to identify sensitive queries, mutations, and types - Testing for GraphQL-specific vulnerabilities including query depth abuse, batching attacks, and field-level authorization - Assessing GraphQL implementations where introspection is disabled but schema can be reconstructed through error messages - Evaluating defenses against resource exhaustion through deeply nested or complex GraphQL queries **Do not use** without written authorization. Schema extraction and query abuse testing can impact service availability. ## Prerequisites - Written authorization specifying the GraphQL endpoint and testing scope - Burp Suite Professional with InQL extension (v6.1+) for automated schema analysis - Python 3.10+ with `requests` and `gql` libraries - GraphQL Voyager or GraphQL Playground for schema visualization - Clairvoyance tool for schema reconstruction when introspection is disabled - Wordlists for GraphQL field and type name brute-forcing > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1: GraphQL Endpoint Discovery ```python import requests import json TARGET = "https://target-api.exam...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GraphQL · API

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

performing-graphql-security-assessment

Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service vulnerabilities during authorized security tests.

13,115 Updated today
mukul975
API & Backend Featured

performing-graphql-depth-limit-attack

Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service vulnerabilities in GraphQL APIs.

13,115 Updated today
mukul975
API & Backend Listed

graphql-security

Security audit for GraphQL APIs covering query depth and complexity limits, introspection exposure, field-level authorization, mutation auth, persisted queries, batching abuse, error message leakage, subscription auth, and Apollo/urql/graphql-yoga/Mercurius/Hasura/PostGraphile-specific patterns. Use this skill whenever the user mentions GraphQL, Apollo Server, Apollo Client, urql, graphql-yoga, Mercurius, Hasura, PostGraphile, Strawberry (Python), gqlgen (Go), resolvers, schema.graphql, .gql files, query depth, query complexity, or asks "audit my GraphQL", "GraphQL security review", "depth limit", "persisted queries". Trigger when the codebase contains `.graphql`/`.gql` files, `apollo-server`, `@apollo/server`, `graphql-yoga`, `mercurius`, or `graphql` packages.

1 Updated 1 weeks ago
hlsitechio
API & Backend Solid

hunt-graphql

Hunting skill for graphql vulnerabilities. Built from 12 public bug bounty reports across IDOR via node() / GID, mutation IDOR including AI/LLM features, cross-tenant IDOR, SSRF via argument, batching-DoS, query-cost-bypass, SQLi via argument, broken-object-level-authz, auth-bypass via unscoped mutations, and PII exposure from missing field-level authz. Use when hunting graphql on any target.

1,478 Updated 5 days ago
elementalsouls
API & Backend Featured

exploiting-excessive-data-exposure-in-api

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

13,115 Updated today
mukul975