How to intercept and send HTTP requests for GraphQL?
I saw some people are able to find security bugs via GraphQL on Facebook. How do they do it?
Are there any tools available to test these calls?
2 Answers
Facebook GraphQL is an internal API so I’m not sure anyone here will be able to give you a detailed answer on using it. For testing GraphQL, you will want to check to see if a public schema is available.
Starting at https://graphql.org/ or going into the spec itself https://facebook.github.io/graphql/ might be of interest to you.
If the schema is not available then you’re going to have to understand how the app works, follow the requests and make assumptions (like in the case with Facebook)
0
In order to intercept and manipulate HTTP requests for GraphQL, you have several options at your disposal. One widely adopted method involves employing a proxy server. Essentially, a proxy server acts as an intermediary between your system and the GraphQL server, channeling all HTTP requests and responses through it. This affords you the opportunity to scrutinize and amend these requests and responses prior to their final destination.
Alternatively, you can opt for browser extensions or debugging tools to intercept GraphQL requests. These tools enable you to capture and alter all HTTP requests made by your browser, encompassing GraphQL requests as well.
Once you’ve successfully intercepted a GraphQL request, you can utilize an HTTP client like curl or Postman to dispatch it to the GraphQL server. Furthermore, you retain the flexibility to modify the request as needed, whether it entails adding/removing headers or altering the request body.
Now, addressing security concerns in GraphQL is paramount. These vulnerabilities often stem from inadequacies in the GraphQL schema or in the construction of GraphQL queries. For instance, a GraphQL schema might inadvertently permit unauthorized users to access sensitive data or execute unauthorized actions. Moreover, improperly formatted GraphQL queries can provoke unexpected responses or even destabilize the GraphQL server.
When it comes to assessing and testing GraphQL calls, you’re in luck; there is a plethora of tools at your disposal. Some prominent options include:
Apollo Client Developer Tools: This browser extension boasts a wide array of functionalities for testing GraphQL applications, encompassing the ability to intercept and manipulate GraphQL requests.
Insomnia: Both a desktop and web application, Insomnia is designed for API testing, including GraphQL APIs.
Postman: Another versatile desktop and web application, Postman facilitates API testing, making it suitable for GraphQL APIs as well.
Regarding how security bugs are discovered in GraphQL on platforms like Facebook, individuals typically employ the aforementioned tools and techniques to intercept and tweak GraphQL requests. For instance, a security researcher might intercept a GraphQL request employed to retrieve user data. Subsequently, they could manipulate the request to attempt unauthorized access to sensitive information.
Should the researcher successfully access this sensitive data, it signifies the discovery of a security bug within Facebook’s GraphQL API. Following this discovery, the responsible researcher proceeds to report the bug to Facebook, thereby initiating the necessary remediation process.
1