GraphQL API testing guide

[OrAsaf]

This PR covers issue #553 .

• This PR handles the issue and requires no additional PRs.
• You have validated the need for this change.

What did this PR accomplish?

• Created section 12-API testing
• Created GraphQL testing guide

[ThunderSon]

You have a ~~~ instead of triple ticks, if you can fix that.
So I have a proposition. How about splitting the test inside a folder for GraphQL, where every test scenario takes its own file? More concise, more focused. What do you think? The SQLi is an example, where every DB has its own file

I will review this in the coming days, as this is a new test, I'll take some time going over it.

[ThunderSon]

@PauloASilva I believe you'd be interested in having a look at this :)
If you know any additional GraphQL experts as well, be my guest in inviting them!

[PauloASilva]

Thanks for pinging @ThunderSon.

@1OREO may I suggest you to check OWASP/CheatSheetSeries/pull/434 to understand the current testing guide coverage: the PR is full of good references (may more will be available through git history).

Cheers,
Paulo A. Silva

[OrAsaf]

@ThunderSon I've resolved the issue you mentioned (using "~"), and some terminology linter issues.
I can understand why separating the file into smaller pieces will be good (they will be more focused as well as easier for more contributors to add GraphQL related test).
I'm fine either way, when you're done reviewing and know how to best proceed, ping me.
I've also looked at the cheatsheet PR, so also let me know if we want to include it as a reference, and add content to the wstg file.

[kingthorin]

Note the code fencing still needs a highlighting hint.
The linter workflow is failing to comment due to an output/content issue (which I’ll look into and address).

Current linting issues

document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:39 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
7
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:239:1 MD033/no-inline-html Inline HTML [Element: img]
8
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:240:1 MD033/no-inline-html Inline HTML [Element: img]
9
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:241:1 MD033/no-inline-html Inline HTML [Element: img]
10
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:323 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2]
11
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:334:4 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1]
12
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:334 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "``` "]
13
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:387 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]
14
document/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL.md:450 MD040/fenced-code-language Fenced code blocks should have a language specified [Context: "```"]

See the template directory for details on embedding images.

[OrAsaf]

@kingthorin I've resolved all of the linter issues except for the images one.
The problem I had is the screenshots I took were not very wide, which resulted in being a huge zoomed-in picture and I did not find any other way to resize them (if you'll look at the file, all of the other images are included regularly within markdown using ).
I can revert them back but I think it'll look quite bad.
Is there another solution you can direct me to?

[kingthorin]

I think the images will turnout fine for the web deployment (ex: https://owasp.org/www-project-web-security-testing-guide/latest/6-Appendix/F-Leveraging_Dev_Tools.html) and PDF generation, I wouldn't worry about how they look on GitHub we don't really expect people to use GH as a primary means of consuming that material.

[OrAsaf]

ack, so I'll convert it to the normal way of importing images and push the update to the PR.

[ThunderSon]

As the first look, on top of the direct review points:

1. We can join the generic attacks under a section saying that. (Injection, AuthZ/N, etc.)
2. Please fix the JSON response (like close it properly, we'll see later to how to represent a bigger response). It's breaking on the representation side.
3. Let's add the graphQL batching attack: https://lab.wallarm.com/graphql-batching-attack/
4. Pointers at mutations with weak access control maybe?

I clearly can see this scenario shorter and more concise, but it looks like a starting place for graphql. This should take a couple of rounds before it gets accepted, so I hope that doesn't really bother you.

Rick should be doing a review soon, just as they're more free with life overall. Everything is open for discussions, and if I can help somehow let me know :)

[kingthorin]

I believe you removed references to these 4 images, so could you remove the files themselves from the PR?

![GraphiQL1](images/GraphiQL1.png)
![GraphiQL2](images/GraphiQL2.png)
![GraphiQL3](images/GraphiQL3.png)
![GraphiQL4](images/GraphiQL4.png)

(Unless I missed something, please correct me if I'm wrong.)

[kingthorin]

Looks good, thanks ⭐

[kingthorin]

Thanks for those tweaks

[ghost]

@1OREO @ThunderSon

From my beginners PoV, it seems really good to me, it is easy to follow, covers the most important stuff and has references for further understanding and experimenting. Also it is just the right balance between enough information and not being cluttered. Kudos! 👍 💯

Stale