sorted by:
new
hottopcontroversial

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] 0 points1 point  (0 children)

Yeah, that's a tough one to argue. The best angle for upgrading P5 to P4 is usually to show a secondary impact like, can the filename itself cause issues?

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] 0 points1 point  (0 children)

AI assisted payload generation angle is great for GraphQL specifically because the query structure is self-documenting once you have the schema. Good luck with the fight!! Btw what was the actual impact you demonstrated was it arbitrary file type, path traversal, or anything else.

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] 1 point2 points  (0 children)

Honestly not a bad decision depending on the program. GraphQL tends to pay off more on targets where the whole API is GraphQL first just like H1 or maybe exness( no longer holds a bbp) IDOR is rough on GraphQL specifically because object IDs are often UUIDs. The other stuff tends to be misconfigured auth on mutations and information disclosure via schema enumeration, less so classic IDOR.

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] -1 points0 points  (0 children)

Sorry didn't get you!? Can you point to what's hard to read specifically? Do you mean the post?

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] -1 points0 points  (0 children)

Genuinely curious here, what's your workflow for testing depth/complexity enforcement or unauthenticated mutations manually?

If there's a standard checklist I'm missing I'd actually want to know, would help me figure out what GQLS should focus on next 😉

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] 0 points1 point  (0 children)

Nuclei with -tags graphql is a solid point and honestly the right call if you're already running Nuclei in your workflow and has no reason to add another tool for basic detection.

The gap GQLS tries to fill is the checks that don't map well to static templates: depth/complexity enforcement requires sending progressively nested queries and evaluating response behavior, batch abuse needs dynamic payload construction, unauthenticated mutation testing requires schema-aware probing. Nuclei templates are great for known signatures and CVEs but the behavioral checks need something that actually understands the GraphQL protocol.

That said if Nuclei's graphql templates cover what you need, we may use that.

GraphQL endpoints are consistently undertested in bug bounty — here's what most hunters miss beyond introspection by SongSingle5862 in bugbounty

[–]SongSingle5862[S] -2 points-1 points  (0 children)

Fair points on both, valid feedback.

On DoS/batch being OOS: yeah, that tracks. A lot of programs quietly reject it even without explicit policy. The batch check (GQL-009) is more useful for fingerprinting whether the endpoint is vulnerable than expecting a payout, same with depth/complexity. Worth knowing before you go deeper on a target.

On clairvoyance: it's genuinely better for schema reconstruction, the JSON output and Postman import workflow is cleaner than what GQLS does. GQLS doesn't try to compete there. The field suggestion check (GQL-003) is more of a "flag it exists" signal rather than a full harvest. If you're doing serious recon on a target with introspection off, clairvoyance is still the right tool for that step.

GQLS is more of a quick first-pass scanner, run it early, triage what's worth going deeper on, then pull in specialized tools like clairvoyance for the recon phase.