( صل علي النبي)
Introduction
During a recent penetration test, I encountered an application with restricted functionality due to plan limitations. However, by analyzing the JavaScript files, I discovered hidden GraphQL mutations that revealed undocumented API behavior. This blog explains how I uncovered and tested one of them — AddWorkspaceWhitelistDomains.
Methodology
Step 1 – Searching JavaScript for GraphQL operations
I searched through the application’s .js files for mutation and query keywords to locate GraphQL operations used by the UI.
Step 2 – Using Wayback Machine & VirusTotal & Burp Suite search
I used the Wayback Machine and VirusTotal to recover archived or cached versions of the JS files that were no longer accessible.
Step 3 – Aggregating and analyzing files
I combined all .js files into one for easier searching, then extracted all the GraphQL queries and mutations.
Step 4 – Finding the key mutation
After analysis, I identified mutation AddWorkspaceWhitelistDomains, which appeared to handle domain whitelisting.
Step 5 – Testing via Burp Suite
Using Burp Suite, I intercepted and replayed the request to analyze its behavior and confirm the functionality.
Outcome
I successfully identified and tested the hidden mutation AddWorkspaceWhitelistDomains. The behavior was confirmed and later reported responsibly to the program.
Alhamdulillah (الحمد لله) — another successful finding through persistence and code review.
Top comments (0)