Skip to main content

GraphQL API Scanning

Aikido can scan your GraphQL API endpoints to uncover endpoint vulnerabilities specifically related to GraphQL. One of the methods we use is API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.

NEVER do this setup on a production environment, but always on staging to avoid potential downtime or interference.

Main Use Cases

You can see all checks in the Aikido app here.

Setting up GraphQL API Scanning

Step 1: Click Add Domain in the Domain Overview.

Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your GraphQL APIs (e.g., https://example.io/graphql)

Step 3: Set the Application Type to GraphQL API to enable GraphQL API Scanning

Step 4: Click save, Aikido will now scan your GraphQL API.

Step 5. Authorization: Note that you can also add authorization information if this is required to talk to your API. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'

This will trigger the modal where you can fill in the authentication details.