( صل علي النبي)

Introduction

During a recent penetration test, I encountered an application with restricted functionality due to plan limitations. However, by analyzing the JavaScript files, I discovered hidden GraphQL mutations that revealed undocumented API behavior. This blog explains how I uncovered and tested one of them — AddWorkspaceWhitelistDomains.

Methodology

Step 1 – Searching JavaScript for GraphQL operations

I searched through the application’s .js files for mutation and query keywords to locate GraphQL operations used by the UI.

Step 2 – Using Wayback Machine & VirusTotal & Burp Suite search

I used the Wayback Machine and VirusTotal to recover archived or cached versions of the JS files that were no longer accessible.

Step 3 – Aggregating and analyzing files

I combined all .js files into one for easier searching, then extracted all the GraphQL queries and mutations.

Step 4 – Finding the key mutation

After analysis, I identified mutation AddWorkspaceWhitelistDomains, which appeared to handle domain whitelisting.

Step 5 – Testing via Burp Suite

Using Burp Suite, I intercepted and replayed the request to analyze its behavior and confirm the functionality.

Outcome

I successfully identified and tested the hidden mutation AddWorkspaceWhitelistDomains. The behavior was confirmed and later reported responsibly to the program.

Alhamdulillah (الحمد لله) — another successful finding through persistence and code review.