How to install graphql-and-hidden-parameters
npx skills add https://github.com/yaklang/hack-skills --skill graphql-and-hidden-parametersClaude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)
Source of truth, from yaklang/hack-skills.
name: graphql-and-hidden-parameters description: >- GraphQL and hidden parameter testing playbook. Use when exploring introspection, batching, undocumented fields, hidden parameters, schema abuse, and GraphQL authorization gaps.
SKILL: GraphQL and Hidden Parameters — Introspection, Batching, and Undocumented Fields
AI LOAD INSTRUCTION: Use this skill when GraphQL exists or when REST documentation suggests optional, deprecated, or undocumented fields. Focus on schema discovery, hidden parameter abuse, and batching as a force multiplier.
1. GRAPHQL FIRST PASS
query { __typename }
query {
__schema {
types { name }
}
}
If introspection is restricted, continue with:
- field suggestions and error-based discovery
- known type probes like
__type(name: "User") - JS and mobile bundle route extraction
2. HIGH-VALUE GRAPHQL TESTS
| Theme | Example |
|---|---|
| IDOR | user(id: "victim") |
| batching | array of login or object fetch operations |
| hidden fields | admin-only fields exposed in type definitions |
| nested authz gaps | related object fields with weaker checks |
3. HIDDEN PARAMETER DISCOVERY
Look for:
- fields present in admin docs but not public docs
additionalPropertiesor permissive schemas- frontend code using richer request bodies than visible UI controls
- mobile endpoints carrying role, org, feature-flag, or internal filter fields
4. NEXT ROUTING
- If hidden fields affect privilege: api authorization and bola
- If GraphQL batching changes auth or rate behavior: api auth and jwt abuse
- If endpoint discovery is incomplete: api recon and docs
Related skills
More from yaklang/hack-skills and the wider catalog.
HA
hack
yaklang/hack-skills
>-
1.9k installs
SQ
sqli-sql-injection
yaklang/hack-skills
>-
1.8k installs
CO
code-obfuscation-deobfuscation
yaklang/hack-skills
>-
1.8k installs
AP
api-sec
yaklang/hack-skills
>-
1.8k installsAudited
AN
android-pentesting-tricks
yaklang/hack-skills
>-
1.8k installs
XS
xss-cross-site-scripting
yaklang/hack-skills
>-
1.8k installs