Bypassing GraphQL introspection defenses

Methods to Bypass

• Try inserting a special character after the __schema keyword.

• Try characters like spaces, new lines and commas, as they are ignored by GraphQL but not by flawed regex.

• if the developer has only excluded __schema{, then the below introspection query would not be excluded.

 #Introspection query with newline

    {
        "query": "query{__schema
        {queryType{name}}}"
    }

• Try a GET request, or a POST request with a content-type of x-www-form-urlencoded.

• The example below shows an introspection probe sent via GET, with URL-encoded parameters.

    # Introspection probe as GET request

    GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D