GraphQL API recon with mitmproxy



Why?

Capturing live examples of GraphQL queries and responses all in one place vastly simplifies recon.



When?

You most want to do this when introspection is disabled. Otherwise when you need examples to help make sense of the API’s semantics, or to develop a better intuition for where the weaknesses may be.



How?

This script works out-of-the-box for the majority scenario: POST requests to /graphql that use the operationName parameter.

mitmdump -s capture.py

capture.py:

import json
import re

from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
  if flow.request.url.endswith('/graphql'):
    payload = json.loads(flow.request.content.decode('utf-8'))
    filename = re.sub(r'[^a-zA-Z0-9]', '_', payload['operationName']) + '.example.txt'
    with open(filename, 'w') as f:
      json.dump(payload, fp=f, indent=2)
      f.write(f"nn// ==== REQUEST ====nn")
      f.write(f"payload['query']nn")
      f.write("// ==== RESPONSE ====nn")
      json.dump(json.loads(flow.response.content), fp=f, indent=2)

Source link