📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
🎯 BUG BOUNTY MASTERY
FREE
Part of the 60-Day Bug Bounty Mastery Course
Day 22 of 60 · 36.7% complete
⚠️ Authorised Testing Only: Test GraphQL vulnerabilities exclusively within bug bounty programme scope or on systems you own. Accessing other users’ data through IDOR — even in a testing context — may constitute an unauthorised access offence. Read the programme’s policy on data access before testing authorization flaws. When demonstrating IDOR, use two accounts you control rather than accessing real user data.
GraphQL Bug Bounty for 2026 :— While most hunters still queue up the same XSS and SQL injection checks on every target, the hunters consistently landing Critical payouts are the ones who follow the GraphQL endpoint to its schema. A single introspection query against a misconfigured GraphQL API returns the complete blueprint of the backend: every query, every mutation, every field, every argument — including the admin operations that never appear in the UI and the internal ID fields that make IDOR trivial to test. Day 22 teaches you how to find GraphQL endpoints, extract schemas, map the attack surface, test for broken authorization and injection, and write reports that get paid.
🎯 What You’ll Master in Day 22
Discover GraphQL endpoints in web applications and extract full schemas via introspection
Map mutations and queries from the schema for IDOR and authorization testing
Test and report GraphQL IDOR via direct object ID manipulation
Test for injection vulnerabilities in GraphQL query arguments
Use batch query abuse to bypass rate limiting on sensitive operations
⏱️ 45 min · 3 exercises · Burp Suite recommended ### 📋 Prerequisites — Day 22 - Day 21: HTTP Request Smuggling — Request manipulation fundamentals - Burp Suite Community (free) installed — used for intercepting and replaying GraphQL requests - Altair GraphQL Client browser extension (optional but recommended for schema exploration) ### 📋 GraphQL Bug Bounty 2026 — Contents 1. Finding GraphQL Endpoints 2. Introspection — The Free Schema Dump 3. IDOR via Direct Object IDs 4. Broken Authorization on Mutations 5. GraphQL Injection 6. Batch Query Abuse for Rate Limit Bypass ## Finding GraphQL Endpoints GraphQL APIs don’t announce themselves the way REST APIs do — there’s no Swagger UI at a predictable URL. Finding the endpoint is the first step. The most reliable method is monitoring your browser’s Network tab during normal application use: GraphQL requests appear as POST requests with a JSON body containing a query field. Burp Suite’s HTTP history captures these automatically when you proxy the application.
For applications where you haven’t spotted active GraphQL traffic, probe common endpoint paths. Send a POST request with body {"query": "{ __typename }"} to each path. A GraphQL endpoint returns {"data": {"__typename": "Query"}} on success, or a structured JSON error referencing GraphQL on any valid endpoint that rejected your query. Both responses confirm the endpoint exists. Non-GraphQL paths return HTML error pages or irrelevant JSON that doesn’t match this pattern.
GRAPHQL ENDPOINT DISCOVERYCopy
Common GraphQL endpoint paths to probe
/graphql
/api/graphql
/v1/graphql
/graphql/v1
/query
/gql
Quick probe with curl — typename query
curl -s -X POST https://target.com/graphql \
-H “Content-Type: application/json” \
-d ‘{“query”:”{ __typename }”}’ | python3 -m json.tool
Positive response (endpoint exists)
{“data”: {“__typename”: “Query”}}
Also check JS bundles for hardcoded endpoints
curl -s https://target.com/static/main.js | grep -oE ‘”(/[a-z0-9/]+graphql[^”]*)”‘
🛠️ EXERCISE 1 — BROWSER (15 MIN · NO INSTALL)
Find GraphQL Endpoints and Trigger Introspection on HackerOne Programs
⏱️ 15 minutes · Browser + DevTools only
Step 1: Pick a public GraphQL API for practice
Go to: apis.guru/graphql-apis/ — a directory of public GraphQL APIs
Choose one (GitHub, SpaceX, Countries, Star Wars)
Step 2: Open browser DevTools Network tab Navigate to the API’s documentation or playground Filter by “graphql” in the network requests
Step 3: Send the introspection query Using the API’s GraphQL playground or a direct fetch: fetch(‘[endpoint]’, { method: ‘POST’, headers: {‘Content-Type’: ‘application/json’}, body: JSON.stringify({query: ‘{__schema{types{name}}}’}) }).then(r=>r.json()).then(console.log)
Step 4: Examine the type list How many types does the schema contain? Do any type names suggest sensitive operations? (look for: Admin, Internal, Private, Token, Secret)
Step 5: Get full field details for an interesting type {__type(name:”User”){fields{name type{name ofType{name}}}}} What fields does the User type expose? Are any field names sensitive (password, token, adminRole)?
Step 6: On a bug bounty program (with scope permission): Use DevTools on a real target application Monitor network requests during login, profile update, etc. Identify any GraphQL requests and note the endpoint path
✅ What you just learned: Introspection on a real API immediately shows you the complete attack surface without any fuzzing or guessing. The type names and field names in a well-designed schema are often self-documenting — seeing a MutationType with fields like resetPasswordAdmin, createInternalUser, or bypassRateLimit tells you exactly what to test next. This reconnaissance phase is what separates GraphQL hunters who find Critical findings from those who send the same generic XSS tests to every endpoint.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)