First Issue – Let’s Go

3 min read

April 20, 2025

First Issue – Let’s Go

Table of contents

Welcome to my first newsletter!

The purpose of this is simple:
To have a direct channel where I can share my thoughts, keep you updated when a new blog post drops, and deliver offensive security techniques I’ve learned during the week.

This isn’t about theory or abstract ideas.
It’s about giving you real, actionable tactics you can recognize and apply when you face real targets.

Because at the end of the day, one of the most powerful ways to improve in offensive security, whether you're studying for a cert like the OSCP or working in the field, is by building mental muscle memory.

The more techniques you archive in your mind (or in a structured place like Obsidian or GitBook), the faster you'll be able to recognize patterns during an audit and know exactly what to try.

If you're serious about growing in this field, you should be building your own version of HackTricks: a personal methodology, refined over time.

Offensive GraphQL Techniques You Should Know

We're starting with GraphQL.
This is part of a broader API hacking series I’m working on, and this drop summarizes key attack vectors you can add to your methodology right away.

Discovering GraphQL Endpoints

To confirm that a URL is exposing a GraphQL endpoint, send this simple query:

query { __typename }

If the response includes:

{ "data": { "__typename": "query" } }

Then you’ve found a GraphQL endpoint.

Try common paths:

  • /graphql
  • /api/graphql
  • /graphql/api
  • /graphql/graphql
  • /v1/graphql

Tools like Burp Scanner can automate this discovery or Graphw00f

Introspecting the Schema

If introspection is enabled, you can reveal the full structure of the API.

Basic probe:

query {
  __schema {
    queryType { name }
  }
}

Use full introspection queries with tools like GraphQL Voyager to visualize relationships between types, queries, and mutations. If introspection is disabled, check the next technique.

Discovering Schema Without Introspection

Even when introspection is disabled, GraphQL frameworks like Apollo may leak schema hints via error messages.

Try sending typos like:

query { getUsre }

Apollo might respond with:

Did you mean "getUser"?

Tools like Clairvoyance automate this kind of discovery.

Exploiting Unsanitized Arguments (IDOR)

APIs that expose resources directly via user-controlled arguments may be vulnerable to Insecure Direct Object References.

For example:

query {
  getUserById(id: "1234")
}

If there’s no access control check, changing the ID may leak sensitive data from other users.

Bypassing Rate Limiting Using Aliases

Aliases let you request the same field multiple times in a single HTTP request, bypassing naive rate-limiting protections.

Example:

query {
  d1: isValidDiscount(code: "AAA")
  d2: isValidDiscount(code: "BBB")
  d3: isValidDiscount(code: "CCC")
}

This allows you to brute-force or scan multiple entries in one request, avoiding WAF or IP-based limits.

Finding CSRF Vulnerabilities in GraphQL

Some GraphQL APIs accept unsafe request types like GET or POST with non-JSON content types (e.g., x-www-form-urlencoded), making them vulnerable to CSRF.

To test this:

  • If either request goes through and performs the mutation, you’ve got a CSRF vector.

Try a simple GET request with the query in the URL

GET /graphql?query=mutation+{changeEmail(newEmail:"[email protected]")} HTTP/1.1

Send a POST request with Content-Type: x-www-form-urlencoded

POST /graphql HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

query=mutation+{updatePassword(newPassword:"123456")}

Secure GraphQL implementations should:

  • Only accept application/json
  • Enforce CSRF tokens

SSRF via GraphQL Mutations

Some mutations take URLs as arguments and pass them to backend logic. If there’s no input validation, you may be able to perform Server-Side Request Forgery.

Example:

mutation {
  updatePlant(sourceURL: "http://127.0.0.1:8888")
}

This could let you scan internal services or hit cloud metadata endpoints. In vulnerable setups, it can lead to privilege escalation.

Where to Practice

You can practice these techniques in realistic labs and machines. Here are a few resources:

And these retired Hack The Box machines:

New Article!

This week’s article is a bit different from the usual technical drops.

It’s about purpose. Why it matters. How to think about it. How to design your own.

To be honest, writing it made me feel a bit vulnerable. I'm not an expert in philosophy or personal development, and I even hesitated to publish it. But I believe it’s an important topic, and maybe it will help someone who feels a bit lost or disconnected right now.

If you're in that place, or just want to reflect deeper on where you're headed, it might resonate with you.

Read the first article here

Let me know your thoughts if you read it. I’d love to hear your feedback.

Subscribe now

Chapters

Kerberos Tactics Every Pentester Should Know

Next Issue

Enjoyed the article?

Subscribe to the newsletter and get technical insights, cybersecurity tips, and development content straight to your inbox. Or support my work with a coffee ☕ if you found it useful!

📫 Subscribe now ☕ Buy me a coffee