The GraphQL Support script is responsible for two things:
The following sections will elaborate a little on each of these functionalities.
Each unique GraphQL request proxied through ZAP is represented in the sites tree. Requests are placed under a common node if they have the same operations. Two queries that have the same fields will be represented by the same node. The only exception is when a query is sent with inline arguments and also using variables. In this case, a prefix of either ‘0’ or ‘1’ is added to distinguish between them respectively.
For example, the following figure illustrates how two requests may be represented in the sites tree.
If Active Scan Script Input Vectors are enabled, values are injected for inline arguments in all queries proxied through ZAP. If a query uses variables, then variables are replaced inline and variable definitions are deleted.
Note that the built-in JSON Input Vector handler also works when a request is sent as JSON.
|GraphQL||for an overview of the GraphQL add-on.|
|GraphQL Options||for information about the optional parameters.|
|GraphQL Automation||for information about the automation framework support.|