mg-graphql

Purpose

Detects GraphQL endpoints, runs introspection to extract the full schema, flags dangerous mutations (delete, admin, password reset patterns), tests query batching abuse, and checks for absent depth limits. Endpoint candidates come from the --endpoint flag, crawl endpoints.json (graphql:true or /graphql path suffix), or recon summary hosts. Session auth headers are applied to all requests.

Output

• graphql/results-<timestamp>.json — introspection schema, dangerous mutation list, batching test result, and depth-limit finding.

CLI

mg-graphql acme-bounty
mg-graphql acme-bounty --endpoint https://api.acme.example.com/graphql

Notes

• Run mg-crawl and mg-recon first to maximize endpoint candidate coverage.
• Introspection disabled on the target is a finding in itself; note it and test blind query patterns manually.
• Batching abuse test sends an array of queries in a single request; flag if all are processed.
• Related: mg-fuzz for field-level fuzzing after schema is known.