graphql-and-hidden-parameters
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: GraphQL and Hidden Parameters — Introspection, Batching, and Undocumented Fields
技能:GraphQL 与隐藏参数 —— Introspection、批量请求与未公开字段
AI LOAD INSTRUCTION: Use this skill when GraphQL exists or when REST documentation suggests optional, deprecated, or undocumented fields. Focus on schema discovery, hidden parameter abuse, and batching as a force multiplier.
AI 加载说明:当存在 GraphQL 接口,或 REST 接口文档提及可选、已废弃或未公开字段时使用本技能。重点关注 Schema 发现、隐藏参数滥用以及作为效能倍增手段的批量请求特性。
1. GRAPHQL FIRST PASS
1. GraphQL 首次探查
graphql
query { __typename }
query {
__schema {
types { name }
}
}If introspection is restricted, continue with:
- field suggestions and error-based discovery
- known type probes like
__type(name: "User") - JS and mobile bundle route extraction
graphql
query { __typename }
query {
__schema {
types { name }
}
}如果 introspection 被限制,可继续采用以下方法:
- 字段提示与基于报错的信息发现
- 已知类型探测,例如
__type(name: "User") - JS 与移动端安装包的路由提取
2. HIGH-VALUE GRAPHQL TESTS
2. 高价值 GraphQL 测试项
| Theme | Example |
|---|---|
| IDOR | |
| batching | array of login or object fetch operations |
| hidden fields | admin-only fields exposed in type definitions |
| nested authz gaps | related object fields with weaker checks |
| 主题 | 示例 |
|---|---|
| IDOR | |
| 批量请求 | 登录或对象拉取操作组成的数组 |
| 隐藏字段 | 类型定义中暴露的仅管理员可访问字段 |
| 嵌套授权漏洞 | 关联对象字段存在更弱的权限校验 |
3. HIDDEN PARAMETER DISCOVERY
3. 隐藏参数发现
Look for:
- fields present in admin docs but not public docs
- or permissive schemas
additionalProperties - frontend code using richer request bodies than visible UI controls
- mobile endpoints carrying role, org, feature-flag, or internal filter fields
可查找以下特征:
- 管理员文档中存在但公开文档未提及的字段
- 或权限宽松的 Schema
additionalProperties - 前端代码使用的请求体比可见 UI 控件支持的更丰富
- 移动端端点携带角色、组织、功能开关或内部过滤字段
4. NEXT ROUTING
4. 后续排查路径
- If hidden fields affect privilege: api authorization and bola
- If GraphQL batching changes auth or rate behavior: api auth and jwt abuse
- If endpoint discovery is incomplete: api recon and docs
- 如果隐藏字段影响权限:API 授权与 BOLA
- 如果 GraphQL 批量请求改变了认证或限流行为:API 认证与 JWT 滥用
- 如果端点发现不完整:API 侦察与文档