2. What to Expect
● What is GraphQL
● How GraphQL differs from Rest API
● How does GraphQL works
● GraphQL Terminologies
● Introspection
● Why Introspection can be dangerous
● Tools
● Common vulnerabilities & how to exploit them
3. What is GraphQL?
GraphQL is query language used by APIs to access data from the database
through a single endpoint and it make this possible by using a defined schema
which specifies exactly what we want to access.
4. How GraphQL differs from Rest API ?
❖ Rest API
● It fetches all data, whether required or not ( “over-fetching”).
● It makes multiple network requests to get multiple resources.
❖ GraphQL
● GraphQL allows multiple resource requests in a single query call
● Saves time and bandwidth
● Increased complexity == more error
6. Where to find endpoints?
GraphQL usually located at specific endpoints
● /graphql
● /qql
● /graphiql
● /graphql/console
● /graph
● /graphql.php
Also, look for request and response referencing for queries and mutations
7. GraphQL Terminologies
● Query : To fetch the data
● Mutations: To modify the data
● Fields: It’s specify that exactly what data we want to receive.
● Node : Object containing the data
● Edge : Connect two nodes
10. Introspection
GraphQL server supports introspection over its schema using the same GraphQL query language.
A server exposes the following introspection queries on the Query operation type.
● __schema : Which enable us to fetch whole schema
● __type : What types schema has
● __queryType : What are the operation available in the schema