Introduction

GraphQL was designed to solve a problem: allow frontend developers to query exactly what they need — nothing more, nothing less.But while it makes app development cleaner, it also makes attackers deadlier.When misconfigured, a GraphQL endpoint becomes a goldmine for hackers. Introspection reveals internal schema. Nested queries pull deep relational data. Batching attacks allow a flood of payloads in a single request.

This article breaks down the journey from reconnaissance to Remote Code Execution (RCE) in GraphQL APIs — based on real techniques and bugs from the wild.

Phase 1: Discovering the GraphQL Endpoint

Before the attack begins, the target must be identified.

Recon Tips:

• Use tools like waybackurls, gau, or hakrawler to look for /graphql, /api/graphql, /gql, or /playground.
• Look in JavaScript files for fetch/XHR patterns:

fetch('/graphql', {
  method: 'POST',
  body: JSON.stringify({ query: "{ __schema { types { name } } }" })
})