Intro to GraphQL Hacking

What is GraphQL?

GraphQL is a modern API query language that changes how clients interact with servers. Unlike REST APIs, which often rely on fixed endpoints and return large amounts of unnecessary data, GraphQL allows clients to specify exactly what they need—and nothing more. This efficiency has made GraphQL incredibly popular, but it also introduces new attack surfaces.

Key Components of GraphQL

• Schemas: The blueprint of the API. It defines all the data types, fields, and their relationships. Think of it as the contract between the client and the server.
• Queries: Used to fetch data. Clients request specific fields, making it more efficient than traditional API calls.
• Mutations: Used to change data. These handle actions like creating, updating, or deleting records.

Objectives

By the end of this room, you'll:

1. Understand how GraphQL works and how it differs from traditional REST APIs.
2. Learn how to map out a GraphQL API's structure and find hidden fields.
3. Identify and exploit common vulnerabilities like excessive data exposure and SQL injection.
4. Discover practical ways to secure GraphQL APIs against these issues.

Prerequisites

Before getting started, make sure you're familiar with:

1. How APIs work, including basic HTTP requests and responses.
2. Interacting with APIs using tools like Burp.
3. Basic scripting skills (Python is a good choice for automating tests).
4. Common web application security issues, like unauthorised access or data leaks.

Starting the Machine

Deploy the target VM attached to this task by pressing the green Start Machine button. After obtaining the machine's generated IP address, you can either use the AttackBox or your own VM connected to TryHackMe's VPN.

Add MACHINE_IP to your /etc/hosts file. For example:

MACHINE_IP    graphql.thm

Or use the command:

sudo bash -c "echo MACHINE_IP graphql.thm >> /etc/hosts"

We will be using the web application running on this machine in the upcoming tasks.