Wednesday, April 30, 2025
HomeCyber Security NewsBurp Suite New GraphQL API to Detect Hidden Endpoints

Burp Suite New GraphQL API to Detect Hidden Endpoints

Published on

SIEM as a Service

Follow Us on Google News

The Burp Scanner’s new GraphQL capabilities allow it to recognize known endpoints, locate hidden endpoints, determine whether introspection or recommendations are enabled, and report when an endpoint fails to validate the content type.

Portswigger, the firm behind the renowned web application security testing tool Burp Suite, has announced that Burp Scanner’s new GraphQL checks will automatically indicate multiple instances of GraphQL vulnerabilities during penetration testing.

In most cases, implementation and design problems lead to GraphQL vulnerabilities. Attacks using GraphQL often take the form of malicious requests that provide the attacker access to data or allow them to carry out unauthorized operations.

- Advertisement - Google News

These attacks may be quite damaging, especially if the user manages to obtain administrator rights by tampering with queries or using a CSRF vulnerability. Information disclosure problems may also result from GraphQL API vulnerabilities.

Identify GraphQL API Flaws

Burp Scanner makes it easy to find the GraphQL endpoint on websites rather than having to manually search through them.

“We’ve defined some passive and active scan checks to find known endpoints automatically, allowing you to focus on finding the vulnerabilities,” the company stated.

When deploying a GraphQL endpoint to production by accident, for instance, a developer can do so without using it on the website. 

Even if a site isn’t utilizing GraphQL, Burp Suite will search for common endpoints and finds hidden deployments.

Source : portswigger

Given that a vulnerability will likely be discovered if it’s an unintentional deployment, these endpoints might be an invaluable resource for a tester.

Introspection lets you execute a query on the real schema to discover what queries it supports. Because a website might not wish to reveal the inner workings of its API to the public, it is frequently disabled in production. 

Burp will detect whether introspection is enabled; while this isn’t a vulnerability in and of itself, it may be beneficial to a tester to help test the site and to a developer to serve as a reminder to turn it off in production.

Further, the company stated that to assist in creating a proper query, certain GraphQL servers, such as Apollo, will offer recommendations when you submit an incorrect query.

Hence, even with introspection turned off, a tester may still utilize this to identify the underlying schema by using a word dictionary and the suggested answer as an oracle.

A valid schema may be created from a dictionary using a tool like clairvoyance. You may locate endpoints with recommendations enabled and report them using Burp.

A POST method with an application/json content type is used by the majority of GraphQL endpoints.

A browser cannot make this request without utilizing CORS (Cross-origin resource sharing ) if the content type is appropriately verified since sending the proper content type will be impossible.

This protects the endpoint against CSRF (Cross-site request forgery). 

However, it may be feasible to abuse the GraphQL endpoint by forging queries if a site does not check the content type and does not utilize a CSRF token, provided mitigations like SameSite cookies may be disregarded or neutralized due to the SameSite None flag. 

Burp will alert the user if a POST request with application/x-www-form-urlencoding or a GET request to the endpoint may be forged.

Conclusion

One of the most well-liked approaches to creating APIs and data-driven apps is now GraphQL. Traditional REST APIs provide a predetermined set of endpoints and replies, but GraphQL enables clients to query for just the data they want, increasing flexibility and efficiency for both client and server.

Knowing the most recent tools will help penetration testers uncover the most recent vulnerabilities. Today’s websites frequently employ GraphQL APIs, which expose the attack surface for a variety of security problems.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...