Can this skill be used if introspection is disabled?

Yes, the skill includes specialized workflows for schema reconstruction using field suggestion errors and brute-forcing techniques even when standard introspection is turned off.

Is this skill safe for production environments?

This skill should only be used in production with explicit written authorization, as intensive schema extraction and query depth testing can impact service availability.

What is a GraphQL introspection attack?

It is a technique used to query the __schema system of a GraphQL API to reveal its internal structure, including all types, queries, and mutations, which can help an attacker map the attack surface.

What tools are required to use this skill?

You will need Python 3.10+ with the requests library, and for advanced analysis, tools like Burp Suite or GraphQL Voyager are recommended.

GraphQL Introspection Security Testing

Name: GraphQL Introspection Security Testing
Author: mukul975

bymukul975

•

4,121

•

安全与测试

Performs automated GraphQL introspection attacks and schema analysis to identify sensitive fields and API vulnerabilities.

This skill empowers security professionals to thoroughly assess GraphQL endpoints by automating the extraction of full API schemas through introspection techniques. It facilitates the mapping of attack surfaces to identify sensitive queries, mutations, and types, while testing for implementation-specific flaws like query depth abuse, alias-based batching, and denial-of-service vulnerabilities. Whether introspection is natively enabled or requires reconstruction through suggestion-based brute-forcing, this tool provides the necessary scripts and workflows to evaluate a GraphQL API's security posture effectively during authorized penetration testing.

主要功能

01Vulnerability testing for query depth and alias-based batching

024,121 GitHub stars

03Full schema extraction including types, mutations, and subscriptions

04Automated GraphQL endpoint discovery across common paths

05Schema reconstruction via field suggestion brute-forcing

06Sensitive data identification within the API structure

使用场景

01Conducting comprehensive security audits of GraphQL-based APIs

02Mapping hidden API surfaces when documentation is unavailable

03Validating resource limits and protection against query-based DoS

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-graphql-introspection-attack

For use in Claude.ai and ChatGPT

主要功能

01Vulnerability testing for query depth and alias-based batching

024,121 GitHub stars

03Full schema extraction including types, mutations, and subscriptions

04Automated GraphQL endpoint discovery across common paths

05Schema reconstruction via field suggestion brute-forcing

06Sensitive data identification within the API structure

使用场景

01Conducting comprehensive security audits of GraphQL-based APIs

02Mapping hidden API surfaces when documentation is unavailable

03Validating resource limits and protection against query-based DoS

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add mukul975/anthropic-cybersecurity-skills performing-graphql-introspection-attack

For use in Claude.ai and ChatGPT