This post is a part of a series of posts related to my Google Summer of Code ‘20 project.

The past week, I worked on the GUI part of the add-on, which is simply two dialog boxes. These dialog boxes allow the user to specify the location of a GraphQL schema and corresponding endpoint. I also read up on some GraphQL concepts.

Listing all GraphQL data types

I read the GraphQL documentation on ‘Schemas and Types’ which had a good explanation of the GraphQL type system. Here’s a flow chart I created that lists all GraphQL data types:

Types +--> Object Types +--> Regular Objects
      |                 +--> "Entry Points" +--> Queries
      |                                     +--> Mutations
      +--> Scalar Types +--> Int
      |                 +--> Float
      |                 +--> String
      |                 +--> Boolean
      |                 +--> ID
      +--> Enumeration Types
      +--> Abstract Types +--> Interfaces
                          +--> Unions

You can click here for a more visual representation.

Creating Import Dialogs

The code for the import dialogs is very similar to the dialogs from the openapi add-on, with some changes to allow the omission of the schema file path/URL. These changes were necessary because GraphQL endpoints have a neat feature called Introspection that enables us to ask them for information about what queries the schema supports.

There were also some changes in the validation of URLs. For that, I took hints from the quickstart add-on. To add a URL into the sites tree, I looked at the code from the openapi and soap add-ons.

You can find the code for the import dialogs in my most recent pull request (#2420).

Creating a Simple Example

I also experimented with graphql-java and it’s getting started tutorial.

Plans for this Week

After a video call with my mentors today, I now have a clear view of the big picture and the work that I have to do. The first stage of the add-on is ZAP being able to understand an imported schema and generate all possible requests from it. Once the sites tree has been populated, then we will move on to attacks / active scan rules.

For now, these are the things I have to begin working on:

  • importing a schema from a file
  • importing a schema from a URL
  • importing a schema from a URL via Introspection
  • a spider that finds endpoint URLs
  • a parser that understands a schema and generates queries from it

By the way, the title of this post comes from an anime that I watched a while ago. It’s about a boy called Maruo Eiichirou who learns to play tennis by taking extensive notes. I found it to be a little slow, but quite motivating. You can check it out here.