GraphQL Voyager as a tool for API security testing

Nikita Stupin
Apr 4, 2019 · 3 min read
One of Google Image results on “voyager” query. Image source.

You are facing GraphQL API and want to test its security. But introspection query gives you huge unreadable JSON, web application uses only part of GraphQL API, and of course there is no public documentation. How to understand and test GraphQL API in such case?

Luckily there is the tool called GraphQL Voyager which visualises GraphQL schema. It’s especially useful for understanding GraphQL API and finding authorization vulnerabilities.


If you are new to GraphQL here are good starting points for learning it:

  1. https://www.howtographql.com/ — takes interactive approach with practical tasks and milestones. Gets you from zero to your first GraphQL application.
  2. https://graphql.org/learn/ — utilises documentation approach. Good to learn specific topics on GraphQL.
  3. [upd 04.07.19] https://ctf.hacker101.com — HackerOne created two tasks for GraphQL. It’s a good place to give Voyager a try. Tasks named as BugDB v1 and BugDB v2.

Why use GraphQL Voyager?

Unfortunately schema is usually returned as huge JSON thus it’s to understand API by reading it. A visual representation of the same schema is a completely different story. Better to see once than hear a hundred times:

JSON vs IMAGE

How to use

Step 1. Obtain specially crafted introspection query:

Step 2. Execute introspection query agains target GraphQL endpoint:

Step 3. Copy and paste obtained GraphQL schema to Voyager.


Step 2 may vary from target to target since GraphQL requests may be implemented differently but you’ve got a general idea.

Conclusion

But it can be further improved by adding a “diff” feature. The idea is that you can monitor changes in target’s GraphQL API and then visualise diff of this changes. This will help you to quickly reveal new functionality and understand changes in existing one.

I’ve created an issue for the diff feature on Voyager’s GitHub. You may contribute in its development by:

  1. (easy way) Voting up on issue. So developers will prioritise it.
  2. (hard way) Get your hands dirty and code this feature since GraphQL Voyager is open source project.

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Nikita Stupin

Written by

https://twitter.com/_nikitastupin

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Nikita Stupin

Written by

https://twitter.com/_nikitastupin

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store