APIAikido login

GraphQL API Scanning

Aikido can scan your GraphQL API endpoints to uncover endpoint vulnerabilities specifically related to GraphQL. One of the methods we use is API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

NEVER do this setup on a production environment, but always on staging to avoid potential downtime or interference.

Main Use Cases

You can see all checks in the Aikido app here.

Setting up GraphQL API Scanning

Step 1: Click Add Domain in the Domain Overview and select GraphQL scanning

Application type selection screen for security testing of web and API applications.

Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your GraphQL APIs (e.g., https://example.io/graphql)

Input field for entering a GraphQL endpoint domain name.

Step 3: Click save, Aikido will now scan your GraphQL API.

Step 4. Authorization: Note that you can also add authorization information if this is required to talk to your API. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'

Domain action menu offering scan, configuration, authentication, and delete options.

This will trigger the modal where you can fill in the authentication details.

Domain authentication setup form for enabling form-based login credentials.

Last updated

Was this helpful?