Saturday, June 15, 2024

Burp Suite New GraphQL API to Detect Hidden Endpoints

The Burp Scanner’s new GraphQL capabilities allow it to recognize known endpoints, locate hidden endpoints, determine whether introspection or recommendations are enabled, and report when an endpoint fails to validate the content type.

Portswigger, the firm behind the renowned web application security testing tool Burp Suite, has announced that Burp Scanner’s new GraphQL checks will automatically indicate multiple instances of GraphQL vulnerabilities during penetration testing.

In most cases, implementation and design problems lead to GraphQL vulnerabilities. Attacks using GraphQL often take the form of malicious requests that provide the attacker access to data or allow them to carry out unauthorized operations.

These attacks may be quite damaging, especially if the user manages to obtain administrator rights by tampering with queries or using a CSRF vulnerability. Information disclosure problems may also result from GraphQL API vulnerabilities.

Identify GraphQL API Flaws

Burp Scanner makes it easy to find the GraphQL endpoint on websites rather than having to manually search through them.

“We’ve defined some passive and active scan checks to find known endpoints automatically, allowing you to focus on finding the vulnerabilities,” the company stated.

When deploying a GraphQL endpoint to production by accident, for instance, a developer can do so without using it on the website. 

Even if a site isn’t utilizing GraphQL, Burp Suite will search for common endpoints and finds hidden deployments.

Source : portswigger

Given that a vulnerability will likely be discovered if it’s an unintentional deployment, these endpoints might be an invaluable resource for a tester.

Introspection lets you execute a query on the real schema to discover what queries it supports. Because a website might not wish to reveal the inner workings of its API to the public, it is frequently disabled in production. 

Burp will detect whether introspection is enabled; while this isn’t a vulnerability in and of itself, it may be beneficial to a tester to help test the site and to a developer to serve as a reminder to turn it off in production.

Further, the company stated that to assist in creating a proper query, certain GraphQL servers, such as Apollo, will offer recommendations when you submit an incorrect query.

Hence, even with introspection turned off, a tester may still utilize this to identify the underlying schema by using a word dictionary and the suggested answer as an oracle.

A valid schema may be created from a dictionary using a tool like clairvoyance. You may locate endpoints with recommendations enabled and report them using Burp.

A POST method with an application/json content type is used by the majority of GraphQL endpoints.

A browser cannot make this request without utilizing CORS (Cross-origin resource sharing ) if the content type is appropriately verified since sending the proper content type will be impossible.

This protects the endpoint against CSRF (Cross-site request forgery). 

However, it may be feasible to abuse the GraphQL endpoint by forging queries if a site does not check the content type and does not utilize a CSRF token, provided mitigations like SameSite cookies may be disregarded or neutralized due to the SameSite None flag. 

Burp will alert the user if a POST request with application/x-www-form-urlencoding or a GET request to the endpoint may be forged.


One of the most well-liked approaches to creating APIs and data-driven apps is now GraphQL. Traditional REST APIs provide a predetermined set of endpoints and replies, but GraphQL enables clients to query for just the data they want, increasing flexibility and efficiency for both client and server.

Knowing the most recent tools will help penetration testers uncover the most recent vulnerabilities. Today’s websites frequently employ GraphQL APIs, which expose the attack surface for a variety of security problems.

“AI-based email security measures Protect your business From Email Threats!” – .


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles