Performing GraphQL Introspection Attack

When to Use

• Testing GraphQL endpoints for exposed introspection that reveals the complete API schema
• Mapping the attack surface of a GraphQL API to identify sensitive queries, mutations, and types
• Testing for GraphQL-specific vulnerabilities including query depth abuse, batching attacks, and field-level authorization
• Assessing GraphQL implementations where introspection is disabled but schema can be reconstructed through error messages
• Evaluating defenses against resource exhaustion through deeply nested or complex GraphQL queries

Do not use without written authorization. Schema extraction and query abuse testing can impact service availability.

Prerequisites

• Written authorization specifying the GraphQL endpoint and testing scope
• Burp Suite Professional with InQL extension (v6.1+) for automated schema analysis
• Python 3.10+ with requests and gql libraries
• GraphQL Voyager or GraphQL Playground for schema visualization
• Clairvoyance tool for schema reconstruction when introspection is disabled
• Wordlists for GraphQL field and type name brute-forcing