Aikido can scan your GraphQL API endpoints to uncover endpoint vulnerabilities specifically related to GraphQL. One of the methods we use is API fuzzing, which essentially includes spamming dangerous payloads to each field in your API.
NEVER do this setup on a production environment, but always on staging to avoid potential downtime or interference.
Step 1: Click Add Domain in the Domain Overview and select GraphQL scanning
Application type selection screen for security testing of web and API applications.
Step 2. Enter the domain name of your staging environment. Ensure this is the base URL for your GraphQL APIs (e.g., https://example.io/graphql)
Input field for entering a GraphQL endpoint domain name.
Step 3: Click save, Aikido will now scan your GraphQL API.
Step 4. Authorization: Note that you can also add authorization information if this is required to talk to your API. You can do this by clicking the triple dots action menu on the domain, and then 'Authenticate Domain'
Domain action menu offering scan, configuration, authentication, and delete options.
This will trigger the modal where you can fill in the authentication details.
Domain authentication setup form for enabling form-based login credentials.
Identifying Aikido traffic
All requests coming from Aikido REST and GraphQL scans will have:
the User-Agent set to aikido-scan-agent/1.0
the following header aikido-api-test set to value 1 in the request
