Thinking outside the box when pentesting GraphQL

Read Time:3 Minute, 21 Second

The hardest part when pentesting any system is undoubtedly answering the question:


How should we think of that?

What is meant is “how outside-the-box thinking works?”, and “how is a pentester meant to think outside the box?”.

Although tackling this question might seem like a near impossible task, but a good approach would be giving an example of a vulnerability that required “out of box” thinking, dissecting the thought process behind it while trying to answer the “why?” that might pop up.


Before the actual hacking happens, a couple of questions should be answered, either consciously or in an implied manner.

First, think of what are you doing, and why are you trying to find vulnerabilities. Is it a pentesting task, or security research? if it is a pentesting task then consider looking more for known/already known vulnerabilities, on the other hand, while doing security research is where you try and innovate and try new things.

Next would be considering what would be interesting as a result. What results are important for you? Maybe you care about nothing but a Remote Code Execution, or maybe you care about everything even a reflected XSS.

Once you have all your answers you can start your hacking process.

The Example

The example we going to use in this article is CVE-2022-31173, it’s a vulnerability we found at Escape while doing DOS security research on Juniper GraphQL server.

So to answer some of the questions asked in the prophase, we are doing a combination of pentest and security research, and we were only interested in Denial Of Service attacks.

Basic Ideology

When doing any security research or pentesting it is essential to check prior work done on the same field you are tackling, and in our case one of the DOS attacks we found on GraphQL servers was CVE-2022-21708

To briefly explain how this vulnerability works, sending a recursive fragment as follows to a vulnerable server would cause a stack overflow causing the server to crash:

For the Escape Security team, this had some implications that could be made:

  • The stack can be filled with fragments call
  • The stack is not properly protected since the CVE-2022-21708 was patched using similar techniques to query analysis.

So we asked ourselves, how can we cause a stack overflow again? What can we do?

Having a clear view of what we need to achieve transforms the “Thinking outside the box” problem into one small problem that needs a suitable solution.

In our example, it transformed the problem of wanting to DOS a server into the question: “How do we fill the stack with fragments without a recursion?”. Essentially they are the same question but the latter is easier for the brain to process and more likely to be solved.

Our solution

We decided to go back to the basics, we know that a query like this would cause one fragment to be in the stack at one time:

Another one would cause two fragments to be in the fragment at one time, try to stop reading and figure out where is this going:

If you thought of increasing the number of fragments even more then congrats, you just thought outside the box! what we did is kept increasing the number of fragments until we hit 7500 fragments and it happened, the server crashed!

If you want to catch recursive fragment vulnerabilities and 50+ other GraphQL security issues (DOS, resolver performance, N+1, tenant isolation, complexity, sensitive data leaks…) before it’s too late, check out our GraphQL Security Scanner! 🚀
1-minute install / 7-day free trial / no credit card required!


Thinking outside the box is sometimes what differentiates between a good and a great security expert but I am a deep believer that creativity is a muscle that could be trained, I hope through this article I was able to facilitate the creative process of finding the vulnerability.



Tag Cloud

Java Java Logical Programs OTP Generation in Java python Recursion youtube video ASCII Upper and Lower Case blockchain javascript graph learn to code software development Successful Software Engineers breadth first search Java Array Programs Java Programs Uncategorized android ios programming kotlin web-development django data sql cybersecurity database swiftui serverless aws swift rust react background-position gradients loader mask grid nth-child pseudo elements indieweb WordPress Print Array without brackets C++ factorial Java String Programs Final Keyword Static Variable Axie Infinity Cryptokitties NFT games tool inserting MISC Tips Codes python code python projects python3 system info python project Bigginers How to Do Integrations Payment Gateways PHP checkout page in php Implement stripe payment gateway in Step by step in PHP integrate stripe gatway in php mysql payment gateway integration in php step by step payment gateway integration in php step by step with source code payment gateway integration in website PHP Integrate Stripe Payment Gateway Tutorial PHP shopping cart checkout code shopping cart in php stripe php checkout PHP/MySQL/JSON best international payment gateway does google pay accept international payments how to accept international payments in india paytm payment gateway razorpay codeigniter github razorpay custom checkout github razorpay get payment details razorpay integration in codeigniter github razorpay international payments Razorpay payment gateway integration in CodeIgniter razorpay payment gateway integration in php code Razorpay payment gateway integration with PHP and CodeIgniter Razorpay payment gateway setup in CodeIgniter Library & Frameworks Tips & Tricks UI/UX & Front-end coding birds online html code for google sign in login with google account in PHP login with google account using javascript login with google account using javascript codeigniter login with google account using php login with google account using php source code
How I build a Documentation site using Docz Previous post How I build a Documentation site using Docz
How I made multi-threaded voxel engine in TypeScript Next post How I made multi-threaded voxel engine in TypeScript

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.