GraphQL: SQL Injection

This exercise covers how to use introspection and a SQL injection to get access to additional information in GraphQL.

1-2 Hrs.
Green Badge


In this course, you will learn how to use GraphQL Introspection to uncover data that is not directly exposed by the application. By observing the traffic between the client and the server, you can identify GraphQL endpoints and perform introspection queries to reveal the structure of the GraphQL schema. This allows you to find queries that are not used by the application but can still be called manually.

Once you have identified a vulnerable query, you can exploit it using SQL Injection techniques. The course covers how to craft your own POST requests to perform introspection and how to manipulate the query parameters to inject SQL code. By doing so, you will be able to extract sensitive information from the database, such as table names and key values, demonstrating the power of combining GraphQL Introspection with SQL Injection.

Want to learn more? Get started with PentesterLab Pro! GO PRO