GraphQL
You can scan your GraphQL schemas by uploading or providing a link to InsightAppSec.
GraphQL schemas are scanned using an attack template which incorporates attacks for the following vulnerabilities:
- SQL injection
- Blind SQL injection
- OS commanding
- Server Side Request Forgery
- Local File Inclusion/Remote File Inclusion
For more information on these see Attack Modules.
Scan GraphQL Schema
Scan your GraphQL Schema by completing the following steps. You can upload your schema file or you can specify the URL. Schemas are ordered in priority order from top to bottom. You can drag and drop to change the order.
GraphQL file formats
If you upload the schema file, the file extension must be .gql (for JSON files) or .graphqls (for SDL files).
- Open the Scan Scope > GraphQL screen.
- If you are uploading a schema files, click the File radio button and Choose file. Upload the file and click Use Selected File. If the file is hosted online, click the URL radio button and add the URL to Introspection Query URL.
- Populate the following fields:
- GraphQL Endpoint URL: Provide the path for the endpoint in the format
/graphql
. - Verb: Select the verb for the operation you’re going to run.
- Max Requests: Provide the maximum number of GraphQL requests that can be attempted during the scan.
- Host Name: Provide the host name in the format
http://hostname
orgraphQL.testdomain.com
.
Note: If the schema is at a subdomain, you can define it here. At least one of the two fields (GraphQL Endpoint URL or Host Name) must be populated.
- GraphQL Endpoint URL: Provide the path for the endpoint in the format
- Toggle Enable to on.
- You can also add additional endpoints by clicking Add Schema File or URL.
- Click Save.
Did this page help you?