Unable to fetch schema with GraphQL with introspection enabled.
859 views
Skip to first unread message
Nitish Patel
Jan 24, 2023, 8:53:54 PM1/24/23
to OWASP ZAP User Group
So I was trying to set up GraphQL scan in Zap Desktop (2.12.0).
I have this endpoint <hidden>, which has introspection enabled. Postman can successfully fetch the schema.
When I try to do that in ZAP, however, it's not sending any POST request.
So this is what I've done so far:
I set up the Endpoint and Schema URL, which are basically the same.
2023-01-25.png
Then when I hit the import button, it shows me this error and it also makes a GET request to the endpoint..png?part=0.4&view=1)
Screenshot (29).png
Now I don't remember it for sure, but ZAP was making a POST request for the schema a while ago because the endpoint was working fine.
Anyways, shouldn't ZAP make a POST request with the introspection query to fetch the schema?
This is the response of the get query it's making.png?part=0.1&view=1)
Screenshot (30).png
I've also tried to tweak the option in GraphQL settings, but they have no effect on this behaviour. Changed the Request method, but it doesn't change anything so far..png?part=0.2&view=1)
Screenshot (31).png
Am I missing anything or if there is another way we should scan GraphQL with introspection enabled? Please help. Thank you :)
I have this endpoint <hidden>, which has introspection enabled. Postman can successfully fetch the schema.
When I try to do that in ZAP, however, it's not sending any POST request.
So this is what I've done so far:
I set up the Endpoint and Schema URL, which are basically the same.
2023-01-25.png
Then when I hit the import button, it shows me this error and it also makes a GET request to the endpoint.
Screenshot (29).png
Now I don't remember it for sure, but ZAP was making a POST request for the schema a while ago because the endpoint was working fine.
Anyways, shouldn't ZAP make a POST request with the introspection query to fetch the schema?
This is the response of the get query it's making
Screenshot (30).png
I've also tried to tweak the option in GraphQL settings, but they have no effect on this behaviour. Changed the Request method, but it doesn't change anything so far.
Screenshot (31).png
Am I missing anything or if there is another way we should scan GraphQL with introspection enabled? Please help. Thank you :)
Simon Bennetts
Jan 25, 2023, 4:31:32 AM1/25/23
to OWASP ZAP User Group
Are there any errors in the zap.log file?
Cheers,
Simon
ricekot
Jan 28, 2023, 11:12:24 PM1/28/23
to OWASP ZAP User Group
Hello,
When you want to use introspection to import a GraphQL schema, you only need to specify the endpoint URL.
The Schema URL should be specified when you have a schema hosted somewhere (e.g. https://example.com/schema.graphql).
Best regards,
Akshath
Akshath
Reply all
Reply to author
Forward
0 new messages