GraphQL Support
StackHawk is pioneering application security testing for GraphQL APIs. The scanner, Hawkscan, will perform introspection of a GraphQL app to generate routes based on available operations. The scanner can be configured to enumerate all available types and input parameters for Query and Mutation together, or for each individual type separately.
See GraphQL configuration settings for more details.
Getting Started
Create an application on the StackHawk Web platform.
Download the stackhawk.yml file from the New Application Wizard or manually create the file in your project directory.
Once you've completed these two steps, check out the Overview Video and code snippets below.
Overview
Configuration Examples
Basic Scan
app:
applicationId: xxxxx-XXXX-xxx-XXXX-xxxxxxx # (required)
env: Pre-Production # (required)
host: http://localhost:3000 # (required)
autoPolicy: true
autoInputVectors: true
graphqlConf:
enabled: true
schemaPath: /graphql
operation: ALL # (default)
Adding Authentication
Authentication comes in many shapes and sizes including web forms, JSON forms, and tokens. For additional information on configuring other types of authentication with StackHawk, please see our docs.
app:
...
authentication:
loggedInIndicator: HTTP/\d+\.\d+\s+(2[0-9][0-9]|3[0-9][0-9])
loggedOutIndicator: HTTP/\d+\.\d+\s+(4[0-9][0-9])
external:
type: TOKEN
value: ${AUTH_TOKEN}
tokenAuthorization:
type: HEADER
value: Authorization
tokenType: Bearer
testPath:
path: /graphql
success: ".*200.*"
requestMethod: "POST"
requestBody: '{"query" : "query me {id name}"}'
requestHeaders:
Accept-Encoding: "application/json"
Content-Type: "application/json"
Additional Information
To scan a GraphQL application using a schema file (rather than an introspection endpoint), see How to generate a GraphQL schema file for use by HawkScan.