Tutorial on GraphQL Injection

Recently, I have learned a few new injection attacks and one of them is GraphQL Injection. Before we understand how the attack works, we need to first understand what is GraphQL is.

GraphQL is an open-source for the Data Query Language (DQL) and Data Manipulation Language(DML) where GraphQL was initially been developed by Facebook around 2012 and released around 2015. As people are aware of Web-Services Architectures such as REST have provided a more efficient and good alternative has become the main advantage.

However, GraphQL is been backed up from existing source code and not tied to any specific database format

GraphQL Vulnerabilities can be found by using the tools as mentioned below:

Basic code for the GraphQL may look something like below:

var { graphql, buildSchema } = require('graphql');

// Construct a schema, using GraphQL schema language
var schema = buildSchema(`
  type Query {
    hello: String

// The root provides a resolver function for each API endpoint
var root = {
  hello: () => {
    return 'Hello world!';

// Run the GraphQL query '{ hello }' and print out the response
graphql(schema, '{ hello }', root).then((response) => {

From the code above, we can made sure of the query response by checking if the application will reply the response.

Normally, we can received “GET Method Allow” back within the response from the application itself. You can check it by using Burpsuite tools or Curl method

The path that can be used for Path Traversal will be something which look like below:

  • /graphql/
  • /graphql/console/
  • /graphql.php


After we have test using the query request, you can see something like


GraphQLid  {






Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *