Bug bounty hunting is a thrilling race to find security flaws before the bad guys do. While most hunters focus on subdomains, REST APIs, or XSS, a new frontier is emerging: GraphQL APIs. These powerful, flexible APIs power modern apps at companies like GitHub and Shopify, but their complexity makes them a treasure trove for vulnerabilities. From introspection leaks to broken access controls, GraphQL bugs can earn you $1,000–$10,000 bounties. In this comprehensive guide, we’ll show you how to hunt GraphQL vulnerabilities like a pro, using free tools and real-world techniques. Whether you’re a beginner or a seasoned hunter, this article will teach you how to find GraphQL endpoints, exploit common flaws, and turn queries into rewards. Let’s dive into the GraphQL goldmine!

Why GraphQL Is a Bug Hunter’s Dream

GraphQL is a query language for APIs that lets clients request exactly the data they need. Unlike REST APIs with fixed endpoints (e.g., /api/v1/users), GraphQL uses a single endpoint (e.g., /graphql) and dynamic queries, making it powerful but prone to misconfigurations. Here’s why it’s a prime target:

• Introspection Leaks: GraphQL’s introspection feature can reveal the entire API schema, exposing sensitive fields like user.email or admin.secrets.
• Broken Access Controls: Misconfigured permissions may let you access unauthorized data (e.g., admin details as a regular user).
• High Impact: Bugs like data leaks or privilege escalation are critical, fetching big bounties.
• Less Competition: GraphQL is newer and less understood, so fewer hunters target it compared to XSS or SQL injection.

Recent HackerOne reports show GraphQL bugs earning $2,000–$10,000, like a Shopify case where a hunter accessed admin data via a misconfigured query. This article will walk you through finding and exploiting these flaws.

Prerequisites: What You Need

• Tools: Burp Suite Community Edition, curl, graphqlmap (pip install graphqlmap), ffuf (go install github.com/ffuf/ffuf@latest), and a browser (Chrome/Firefox).
• Basic Knowledge: Familiarity with HTTP requests and bug bounty basics (e.g., scopes, PoCs).
• Target: A bug bounty program with GraphQL in scope (check HackerOne/Bugcrowd for .graphql or /graphql).
• Safe Practice: Use PortSwigger’s Web Security Academy or graphql-lab.com for legal testing.

Step-by-Step Guide: Hunting GraphQL Vulnerabilities

Step 1: Find GraphQL Endpoints

GraphQL APIs often hide in plain sight. Here’s how to locate them efficiently:

1. Check Common Endpoints:

• Test standard GraphQL paths with curl or Burp Suite:

curl https://example.com/graphql
curl https://api.example.com/graphiql
curl https://example.com/api/graphql

• Look for responses with application/json containing data or errors fields, indicating a GraphQL endpoint.

2. Use OSINT:

• Search crt.sh for subdomains hosting GraphQL:

curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | grep -i "graphql\|api"

• Check robots.txt or sitemap.xml for /graphql or /graphiql.

3. Crawl with Burp Suite:

• Configure Burp’s proxy (127.0.0.1:8080) and browse the target site.
• In Target > Site map, filter for /graphql, /graphiql, or /api.
• Look for JavaScript files mentioning GraphQL (use JS Link Finder from previous articles).

4. Outcome: A list of GraphQL endpoints (e.g., https://api.example.com/graphql).

Step 2: Test for Introspection

Introspection lets you query a GraphQL API’s schema, revealing fields, types, and queries. If unprotected, it’s a goldmine for finding sensitive data.

1. Send an Introspection Query:

• Use curl to test:

curl -X POST -H "Content-Type: application/json" -d '{"query": "query { __schema { types { name } } }"}' https://api.example.com/graphql

• If it returns a schema (e.g., {"data": {"__schema": {"types": [{"name": "User"}]}}}), introspection is enabled.

2. Use GraphQLmap:

• Install: pip install graphqlmap
• Dump the schema:

graphqlmap -u https://api.example.com/graphql --dump-schema > schema.json

• Look for sensitive types like User, Admin, Secrets, or Credentials.

Outcome: A schema file (schema.json) revealing queries, mutations, and fields to target.

Step 3: Probe for Sensitive Data

Use the schema to craft queries for sensitive information.

1. Craft Queries:

• If the schema includes a User type with fields like email or apiKey, try:

curl -X POST -H "Content-Type: application/json" -d '{"query": "query { user(id: 1) { email apiKey } }"}' https://api.example.com/graphql

• If it returns {"data": {"user": {"email": "[email protected]", "apiKey": "abc123"}}} without authentication, it’s a bug.

2. Test Mutations:

• Mutations modify data (e.g., update user settings). Check for unauthorized access:

curl -X POST -H "Content-Type: application/json" -d '{"query": "mutation { updateUser(id: 1, role: \"admin\") { id } }"}' https://api.example.com/graphql

• If it updates a user’s role without auth, it’s a privilege escalation.

Outcome: Identify queries or mutations exposing sensitive data or actions.

Step 4: Test for Broken Access Controls

GraphQL’s flexibility can lead to weak permissions, letting you access unauthorized data.

1. Test Object-Level Access:

• Query for other users’ data:

curl -X POST -H "Content-Type: application/json" -d '{"query": "query { user(id: 2) { email } }"}' https://api.example.com/graphql

• If you’re user ID 1 but get user ID 2’s data, it’s a broken access control.

2. Test Field-Level Access:

• Request sensitive fields like adminToken:

curl -X POST -H "Content-Type: application/json" -d '{"query": "query { user(id: 1) { adminToken } }"}' https://api.example.com/graphql

• If it returns sensitive data, it’s a bug.

Outcome: Find unauthorized access to data or actions.

Step 5: Exploit Batch Query Vulnerabilities

GraphQL allows batching multiple queries in one request, which can bypass rate limits or expose data.

1. Test Batch Queries:

• Send multiple queries:

curl -X POST -H "Content-Type: application/json" -d '[{"query": "query { user(id: 1) { email } }"}, {"query": "query { user(id: 2) { email } }"}]' https://api.example.com/graphql

• If it returns data for multiple users, it’s a potential DoS or data leak.

2. Outcome: Identify batch query flaws that amplify impact.

Step 6: Fuzz GraphQL Endpoints

Use a wordlist to fuzz GraphQL queries and parameters for hidden fields or endpoints.

1. Create a Wordlist (graphql_fuzz_wordlist.txt):

email
password
apiKey
secret
token
adminToken
userId
role
permissions
settings
config
data
privateData
secrets
credentials
profile
users
admin
query
mutation
updateUser
deleteUser
createUser

2. Fuzz with ffuf:

ffuf -u https://api.example.com/graphql -H "Content-Type: application/json" -d '{"query": "query { FUZZ { id } }"}' -w graphql_fuzz_wordlist.txt -o results-graphql.json

• Look for 200 responses indicating valid queries (e.g., users or secrets).

Outcome: Discover hidden fields or queries exposing sensitive data.

Step 7: Report Bugs for Rewards

When you find a vulnerability, report it clearly:

1. Craft a Report:

• Include:
• Steps to Reproduce: E.g., “Sent introspection query to /graphql and accessed user.apiKey without auth.”
• PoC: curl command or screenshot.
• Impact: “Exposed API keys allow unauthorized access to sensitive data.”
• Submit via HackerOne or Bugcrowd.

2. Example Report:

• Title: Unauthenticated Access to User Data via GraphQL Introspection
• Description: Introspection query revealed user.apiKey. Querying user(id: 1) returned {"apiKey": "xyz789"} without authentication.
• PoC: curl -X POST -d '{"query": "query { user(id: 1) { apiKey } }"}' <https://api.example.com/graphql>
• Impact: Data leak risks account compromise.
• Reward: Potentially $2,000–$10,000.

3. Follow Rules: Ensure the endpoint is in scope and don’t disclose findings publicly until resolved.

Real-World Example: A $5,000 GraphQL Bug

Inspired by a Shopify HackerOne report:

• Target: A company with /graphql in scope.
• Process:
• Found /graphql using Burp Suite.
• Ran introspection query, revealing admin type with secretKey field.
• Queried admin(id: 1) and got {"secretKey": "abc123"} without auth.
• Result: Reported as a critical data leak, earning $5,000.
• Why It Worked: Targeted GraphQL testing uncovered a high-impact flaw missed by generic scans.

Pro Tips for GraphQL Hunting

• Check for GraphiQL: Visit /graphiql or /playground—interactive tools often left exposed for testing queries.
• Test Rate Limits: Send batch queries to check for DoS vulnerabilities.
• Combine with JS Analysis: Use JS Link Finder to find GraphQL endpoints in .js files.
• Stay Ethical: Only test in-scope programs and avoid excessive requests.
• Learn from Reports: Read HackerOne GraphQL disclosures for patterns.

Tools You’ll Need

• Discovery: crt.sh, waybackurls, Burp Suite.
• Testing: curl, graphqlmap, ffuf.
• Environment: Linux/Mac or WSL on Windows.

Why This Topic Stands Out

• Niche Focus: GraphQL is less covered than REST or XSS, attracting readers seeking new techniques.
• High Engagement: Practical commands and PoCs appeal to hands-on learners.
• Trending: Aligns with rising GraphQL adoption and bug bounty payouts.
• Scalable: Covers basics for beginners and advanced exploits for pros, ensuring wide appeal.

Conclusion

GraphQL APIs are a goldmine for bug hunters, offering high-value vulnerabilities with less competition. By mastering endpoint discovery, introspection, access control testing, and fuzzing, you can uncover bugs that pay big. Start with a bug bounty program on HackerOne or Bugcrowd, use tools like graphqlmap and Burp Suite, and practice on safe labs like PortSwigger’s Web Security Academy. Your next GraphQL bug could be worth thousands—happy hunting!