A comprehensive Nuclei-based scanning suite for identifying GraphQL-related misconfigurations, vulnerabilities and reconnaissance vectors. Designed for bug bounty hunting, red teaming, and appsec testing.
graphql_hunting/
├── graphql-nuclei-suite.yaml
├── helpers/
│ └── wordlists/
│ └── auth-bypass.txt
├── others/
└── README.md
This suite includes:
| Module | Description |
|---|---|
graphql-introspection-post |
Detects open GraphQL introspection endpoints via POST |
graphql-token-bruteforce |
Attempts to brute-force GraphQL auth tokens using headers |
graphql-framework-fingerprint |
Identifies GraphQL backends like Apollo, Graphene, etc. |
graphql-json-introspection-heuristics |
Detects introspection leaks using JSON heuristics |
graphql-waf-bypass |
Bypasses WAFs using HTTP header overrides |
graphql-dns-exfiltration |
Leverages DNS-based blind exfiltration via Interactsh |
graphql-ssrf-chain |
Chains introspection to possible SSRF via avatar URL |
graphql-sqli-chain |
Chains introspection to GraphQL SQL injection testing |
nuclei -t graphql_hunting/ -u https://target.comnuclei -t graphql_hunting/graphql-nuclei-suite.yaml -include-templates graphql-introspection-post -u https://target.comcat urls.txt | nuclei -t graphql_hunting/ -o graphql_findings.txt- Nuclei
- Interactsh for DNS/http exfil payloads
auth_bypass.txtwordlist (used in token brute-force) 📦 Recommended to run with the latest ProjectDiscovery templates
auth_bypass.txt should contain common token values, e.g
admin
root
bearer test
token123Place it under:
graphql_hunting/helpers/wordlists/auth_bypass.txt
- GraphQL Introspection Docs
- GraphQL Security Docs
- Apollo Security Docs
- PortSwigger Introspection
- Web Security Academy: GraphQL API vulnerabilities
- Dolev Farhi great repo's
Work in progress. Contributions welcome!
For educational use only. Do not scan systems without proper authorization.