You can scan your GraphQL schemas by uploading or providing a link to InsightAppSec.
GraphQL schemas are scanned using an attack template which incorporates attacks for the following vulnerabilities:

  • SQL injection
  • Blind SQL injection
  • OS commanding
  • Server Side Request Forgery
  • Local File Inclusion/Remote File Inclusion

For more information on these see Attack Modules.

Scan GraphQL Schema

Scan your GraphQL Schema by completing the following steps. You can upload your schema file or you can specify the URL. Schemas are ordered in priority order from top to bottom. You can drag and drop to change the order.

GraphQL file formats

If you upload the schema file, the file extension must be .gql (for JSON files) or .graphqls (for SDL files).

  1. Open the Scan Scope > GraphQL screen.
  2. If you are uploading a schema files, click the File radio button and Choose file. Upload the file and click Use Selected File. Graphql schema file If the file is hosted online, click the URL radio button and add the URL to Introspection Query URL. Graphql URL
  3. Populate the following fields:
    • GraphQL Endpoint URL: Provide the path for the endpoint in the format /graphql.
    • Verb: Select the verb for the operation you’re going to run.
    • Max Requests: Provide the maximum number of GraphQL requests that can be attempted during the scan.
    • Host Name: Provide the host name in the format http://hostname or
      Note: If the schema is at a subdomain, you can define it here. At least one of the two fields (GraphQL Endpoint URL or Host Name) must be populated.
  4. Toggle Enable to on.
  5. You can also add additional endpoints by clicking Add Schema File or URL.
  6. Click Save.