Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Python GraphQL API -- No Response

Carns, | Last updated: Dec 18, 2023 10:11PM UTC

Hey BurpSuite, I've been attempting to test some python code to interact with the GraphQL API and have not been able to pull a response filled with data. I am able to get an HTTP 200 response code, but am not successful with retrieving data. Environment is Python3.9 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) import requests url = "https://swbpsewb1001.acct.upmchs.net:8443/graphq1/v1" payload = "{\"query\":\"query GetSiteTree {\\n site_tree {\\n sites {\\n id\\n name\\n parent_id\\n }\\n }\\n}\",\"operationName\":\"GetSiteTree\"}" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36", "Content-Type": "application/json", "Authorization": "*****" } response = requests.get(url, verify=False, data=payload, headers=headers) print(response.status_code) print(response.text) Output I am receiving: PS C:> python .\BurpGraphQLAPI_Test_V2.py 200 <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Burp Suite Enterprise Edition</title> <link rel="icon" type="image/ico" href="/static/favicon.ico"> <link rel="apple-touch-icon" sizes="180x180" href="/static/apple-touch-icon.png"> <link rel="manifest" href="/static/manifest.json"> <link rel="mask-icon" href="/static/safari-pinned-tab.svg" color="#000000"> <meta name="theme-color" content="#ffffff"> <meta name="msapplication-config" content="/static/favicon/browserconfig.xml"> <meta name="build_number" content="2023.11.1-14660"><script defer="defer" src="/static/js/bews.783871581d263bc129b6.js"></script><link href="/static/css/bews.e4c324612c74a4dc72b6.css" rel="stylesheet"></head> <body> <div id="app-div"></div> <script> if (window.MSCompatibleInfo != null) { const documentBody = document.body; const content = document.createElement("div"); content.innerHTML = ' <div class="chris-wrapper unsupported-browser">\n' + ' <span class="unsupported-browser-text">\n' + ' <div class="hero-text bold">Unsupported browser</div>\n' + ' <h2>\n' + ' We no longer support Internet Explorer.\n' + ' Please refer to our list of <a href="https://portswigger.net/burp/documentation/enterprise/infrastructure/client-browsers">supported browsers</a>.\n' + ' </h2>\n' + ' </span>\n' + ' </div>' documentBody.replaceChild(content, document.getElementById("app-div")); } </script> <!--$end_of_body$--> </body> </html>

Josh, PortSwigger Agent | Last updated: Dec 19, 2023 01:21PM UTC

Hi Michael, you need to send the request as a POST, which it doesn't look like you're doing. Could you double-check to make sure that you're doing that?

Carns, | Last updated: Dec 19, 2023 01:51PM UTC

Hey Josh, When I attempt to Post the http request I end up receiving the 405 error below: 405 <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/> <title>Error 405 HTTP method POST is not supported by this URL</title> </head> <body><h2>HTTP ERROR 405 HTTP method POST is not supported by this URL</h2> <table> <tr><th>URI:</th><td>/graphq1/v1</td></tr> <tr><th>STATUS:</th><td>405</td></tr> <tr><th>MESSAGE:</th><td>HTTP method POST is not supported by this URL</td></tr> <tr><th>SERVLET:</th><td>net.portswigger.enterprise.web.k-17aab709</td></tr> </table> </body> </html>

Josh, PortSwigger Agent | Last updated: Dec 20, 2023 09:51AM UTC

Hi Michael, it looks like there's a sneaky typo in your URL path. You've got /graphq1/v1 when it should be /graphql/v1. If you make the POST request to that path instead, that should fix your problem.

Carns, | Last updated: Dec 26, 2023 08:53PM UTC

Wow thank you! ..that was quite a headache. I'm now testing with insomnia and the script itself. I'm getting an Http code 77. Could this be from outdated certificates on the BurpSuite Server or a bad GQL message?

Josh, PortSwigger Agent | Last updated: Jan 02, 2024 11:13AM UTC

No problem! These typos are easy to miss. Is the 77 code coming from within the GraphQL JSON response? If this is the case, it would be best if you could send the full response that you're getting to us via email at support@portswigger.net as there may be some sensitive information in there.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.