GraphQL Support - Introduction

Perform introspection of a GraphQL app to generate routes based on available operations. The scanner can be configured to enumerate all available types and input parameters for Query and Mutation’s , or for each individual type separately.

Please see GraphQL configuration settings for more details.

Operation Generation

Functional Overview

  1. HawkScan initially introspects the GraphQL schema endpoint for available types and operations.
  2. After collecting input types and arguments, HawkScan generates requests and populates arguments with test values to begin spidering the GraphQL api in preparation for attack.
  3. Requests sent as POST by default, while using GET requests is a configurable option. See requestMethod in the GraphQL configurations for more info
  4. The active scanner goes to work on each route discovered by the spider.

GraphQL Configuration

At a minimum, HawkScan requires app.graphqlConf.enabled set to true in stackhawk.yaml.

app.graphqlConf.schemaPath

Provide a relative path to the introspection endpoint.
This should also be the GraphQL api endpoint for sending queries. Note: If no schema path has been provided, the scanner will default to look for it at /graphql

app.graphqlConf.filePath

It is possible to provide the GraphQL schema as a JSON file. Provide the relative path to a JSON formatted GraphQL schema. This path is relative to the HawkScan Docker context which is the current working directory, by default. Note: A schemaPath will still need to be provided if the GraphQL endpoint is not at /graphql

app.graphqlConf.uriMaxLength

Some queries can exceed recommended lengths when using the GET request method. Max URI length for GET requests will truncate long URIs and may result in misfired requests.

app.graphqlConf.operation

By default, the spider generates operation requests for both Query and Mutation types. Use this option to target one or the other individually.

The following is an example of a base configuration for scanning GraphQL:

Example:

stackhawk.yml

app:
  host: http://localhost:3000
  graphqlConf:
    enabled: true
    schemaPath: /relative/uri/path/graphql
    filePath: relative/path/to/gql/schema.json
    operation: MUTATION
    requestMethod: GET

Note: Take note of other configured scanning features such as *OpenAPI* or *AJAX Spider* support as this may delay scan times and completion in larger environments.

Example GraphQL Schema Introspection

More information on GraphQL fields, types, variables and operations can be found in the following series of documents:

HawkScan expects a well-formed GraphQL schema definition which conforms to the GraphQL specification.

A simple example:

schema

{
  "data": {
    "__schema": {
      "queryType": {
        "name": "Query"
      },
      "mutationType": {
        "name": "Mutation"
      },
      "subscriptionType": null,
      "types": [
        {
          "kind": "OBJECT",
          "name": "Query",
          "description": null,
          "fields": [
            {
              "name": "post",
              "description": null,
              "args": [
                {
                  "name": "where",
                  "description": null,
                  "type": {
                    "kind": "NON_NULL",
                    "name": null,
                    "ofType": {
                      "kind": "INPUT_OBJECT",
                      "name": "PostWhereUniqueInput",
                      "ofType": null
                    }
                  },
                  "defaultValue": null
                }
              ],
              "type": {
                "kind": "OBJECT",
                "name": "Post",
                "ofType": null
              },
              "isDeprecated": false,
              "deprecationReason": null
            }
		  ]
	    }
	  ]
	}
  }
}

HawkScan generated requests

*HawkScan* provides support for both POST and GET requests.

POST request.

POST http://localhost:4000 HTTP/1.1
User-Agent: HawkScan/2.0; StackHawk, Inc. (https://www.stackhawk.com)
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 296
Accept: application/json
Content-Type: application/json
Host: localhost:4000

{
  "query": "query filterPosts($searchString:String ) { filterPosts(searchString:$searchString) { id } }",
  "variables": {
    "searchString": "KaaaKaww!"
  }
}

GET request.

http://localhost:4000?query=filterPosts($searchString:String%20)%20%7B%20filterPosts(searchString:$searchString)%20%7B%20id%20%7D%20%7D&variable

Query and Mutation operations are both enumerated by default. This behavior can be altered to allow targeting either Query or Mutation operations only. See .graphqlConf for more info.