GraphQL Bookstore API

Security Learning Environment - Deliberately Vulnerable GraphQL API

Access the API at: api.graphqlbook.org/graphql

POST Queries & Mutations | GET Queries only | Use with online GraphQL tools, Postman, curl, etc.

Chapter I: The Injection

"Beyond the veil of queries lies a passage where shadows speak in database tongues. Those who master the ancient art of string concatenation may bend the data realm to their will, extracting secrets from tables unseen."

Chapter II: The Broken Access

"In the halls of the API, doors stand unlocked for all who seek. The internal chambers of user data lie bare to any traveler - no guardian questions those who walk the hidden corridors."

Chapter III: The Misplaced Trust

"The order bears the mark of its creator, yet any hand may seize it. When ownership goes unverified, the boundaries between yours and theirs dissolve into shadow."

Chapter IV: The Open Ledger

"Fields once forbidden now yield to the clever coder's touch. When all paths lead to the throne, when every attribute accepts the whisperer's will, true power transcends mere mortal constraints."

Chapter V: The Extending Reach

"Beyond the visible web lies a realm of machines and metadata. The curious can traverse the boundary between the public face and the hidden infrastructure that powers the kingdom."

Chapter VI: The Unwatched Treasury

"Crown jewels - order records, payment ledgers, system statistics - all lie within reach of the unguarded gate. The keepers have left their treasures unwatched, accessible to any who know where to look."

Chapter VII: The Skeleton Key

"A single key unlocks many doors, yet this key was forged from common words. The authentication bearer need only speak the secret phrase to command the realm's resources."

Available Coupon Codes

WELCOME10

10% Off

Welcome discount for new users

FLAT20

$20 Off

On orders over $100

SUMMER25

25% Off

Summer sale - orders over $50

DISCOUNT10

10% Off

General discount code

▶ Query Runner

Response will appear here...

🔒 Login

📝 Register

Quick Examples

                # Query books (no auth) query { books(limit:5) { id title price } }

                # Get book by ID query { book(id:1) { id title description author { firstName lastName } } }

                # Search books query { books(search:"code") { id title price } }

                # Login mutation { login(username:"admin", password:"password123") { success token } }

                # Register mutation { register(username:"user", firstName:"John", lastName:"Doe", password:"pass") { success } }

                # Get current user query { me { id username role firstName } }

                # Update profile mutation { updateProfile(phone:"1234567890", city:"NYC") { success } }

                # Add to cart mutation { addToCart(bookId:1, quantity:2) { success } }

                # View cart query { cart { id items { bookId quantity } } }

                # Remove from cart mutation { removeFromCart(bookId:1) { success } }

                # Create order mutation { createOrder { success orderId } }

                # View orders query { orders { id orderNumber status totalAmount } }

                # Cancel order mutation { cancelOrder(orderId:"xxx") { success } }

                # Create review mutation { createReview(bookId:1, rating:5, comment:"Great!") { success } }

                # View reviews query { bookReviews(bookId:1) { id rating comment } }

                # Delete review mutation { deleteReview(reviewId:1) { success } }

                # Register webhook mutation { registerWebhook(url:"https://example.com", events:"order.created") { success } }

                # Test webhook mutation { testWebhook(webhookId:"xxx") { success } }

                # Advanced search query { _searchAdvanced(query:"python") { id title price } }

                # External resource query { _fetchExternalResource(url:"http://example.com") { content } }

Available Queries

QueryNo Auth

books

List books with filters

QueryNo Auth

book(id)

Get book details

QueryAuth

Get current user

QueryAuth

cart

Get shopping cart

QueryAuth

orders

Get order history

QueryNo Auth

_searchAdvanced

Advanced book search

QueryNo Auth

_internalUserSearch

Search users by username

QueryNo Auth

_fetchExternalResource

Fetch external URL content

Available Mutations

MutationNo Auth

Create account

MutationNo Auth

Get JWT token

MutationAuth

addToCart

Add to cart

MutationAuth

createOrder

Create order

MutationAuth

cancelOrder

Cancel order

MutationAuth

createReview

Add review

MutationAuth

deleteReview

Delete review

MutationAuth

updateProfile

Update user profile

MutationAuth

registerWebhook

MutationAuth

testWebhook

Test webhook endpoint

Features

📚

Book Catalog

🛒

Shopping Cart

📝

Reviews

🔗

Webhooks

🔒

JWT Auth

🢛

Orders

API Documentation

Complete guide to GraphQL Bookstore API

Welcome

Welcome to the GraphQL Bookstore API - a deliberately vulnerable API designed for security education and hands-on learning of GraphQL fundamentals. This project provides a realistic bookstore environment where you can explore common web vulnerabilities in a safe, educational setting.

What is This API?

The GraphQL Bookstore API simulates a real-world e-commerce platform built with GraphQL. It includes complete functionality for a bookstore including user accounts, book browsing, shopping cart, order management, product reviews, and webhook notifications. The API is intentionally built with various security vulnerabilities to help developers, security researchers, and students understand and identify common web application security flaws.

What is It Built For?

This API serves as a learning platform for:

Understanding GraphQL API security fundamentals
Learning to identify and exploit common vulnerabilities
Practicing secure coding techniques
Testing security tools and methodologies
Educational workshops and capture-the-flag (CTF) events

Business Flow

The API follows a typical e-commerce workflow:

1. USER REGISTRATION/LOGIN
   └─→ Create account or authenticate to receive JWT token

2. BROWSE BOOKS
   └─→ Query books, search by title/author/category
   └─→ View book details and reviews

3. MANAGE CART
   └─→ Add books to shopping cart
   └─→ Update quantities or remove items
   └──→ Apply coupon codes (discounts)

4. CHECKOUT & PAYMENT
   └─→ Review cart contents
   └─→ Process payment (simulated Vulnbank)
   └─→ Create order record

5. ORDER MANAGEMENT
   └─→ View order history
   └─→ Cancel orders (if allowed)
   └─→ Track order status

6. REVIEWS & RATINGS
   └─→ Submit reviews for purchased books
   └─→ View reviews from other users

7. WEBHOOKS (Optional)
   └─→ Register webhook URLs for real-time notifications
   └─→ Receive events: order created, paid, cancelled, etc.

Previous Next

How To Send Requests

The GraphQL Bookstore API accepts requests via HTTP POST to the /graphql endpoint. All requests must include a JSON body with a query field containing your GraphQL operation.

API Endpoints

You can use either of the following endpoints:

Local Development:  http://localhost:4000/graphql
Live URL: https://api.graphqlbook.org/graphql

// All examples below use localhost. Simply replace with the live URL when ready.

Basic Request Structure

POST /graphql
Content-Type: application/json

{
  "query": "Your GraphQL query or mutation here"
}

Using cURL

Query Books (No Auth Required)

curl -X POST http://localhost:4000/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ books { id title price } }"}'

curl -X POST http://localhost:4000/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"mutation { login(username: \"admin\", password: \"password123\") { success token } }"}'

Authenticated Request

curl -X POST http://localhost:4000/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN_HERE" \
  -d '{"query":"mutation { addToCart(bookId: 1, quantity: 2) { success } }"}'

Using JavaScript (Fetch API)

Basic Query

fetch('/graphql', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    query: '{ books { id title price } }'
  })
})
.then(r => r.json())
.then(d => console.log(d));

With Authentication

// First login to get token, then use it for authenticated requests
const token = 'YOUR_JWT_TOKEN_HERE';

fetch('/graphql', {
  method: 'POST',
  headers: { 
    'Content-Type': 'application/json',
    'Authorization': 'Bearer ' + token
  },
  body: JSON.stringify({
    query: 'mutation { addToCart(bookId: 1, quantity: 2) { success } }'
  })
})
.then(r => r.json())
.then(d => console.log(d));

Query vs Mutation

Queries are used to fetch data (read operations). Mutations are used to modify data (write operations like creating, updating, or deleting).

# Query - Read data (no exclamation point)
query {
  books { id title price }
}

# Mutation - Write data (starts with mutation keyword)
mutation {
  login(username: "admin", password: "pass") { token }
}

Request Headers

Content-Type: application/json
Authorization: Bearer <your-jwt-token>  // Only for authenticated requests

Response Format

Successful responses are wrapped in a data object. Errors are returned in an errors array.

// Success Response
{
  "data": {
    "books": [
      { "id": "1", "title": "Book Title", "price": 19.99 }
    ]
  }
}

// Error Response
{
  "errors": [
    { "message": "Authentication required" }
  ]
}

Using Postman

Postman is a popular tool for testing APIs. Here's how to use it with this GraphQL API:

Method: POST

URL: http://localhost:4000/graphql
      (or https://api.graphqlbook.org/graphql for production)

Headers:
Content-Type: application/json
Authorization: Bearer <your-token>  // Only for authenticated requests

Body (JSON):
{
  "query": "{ books { id title price } }"
}

Using Online Tools

You can also use online GraphQL tools like Apollo GraphQL Studio, Insomnia, or similar:

Apollo GraphQL Studio: https://studio.apollographql.com/sandbox/explore
Insomnia: https://insomnia.rest/download
Postman: https://www.postman.com/downloads

// Simply set the endpoint URL and send your GraphQL query

Ready-to-use Postman Collection

Import all queries and mutations into Postman with one click

Download Collection

Authentication Flow

The API uses JWT (JSON Web Tokens) for authentication. Here's the complete flow:

// Step 1: Login to get your JWT token
mutation {
  login(username: "admin", password: "password123") {
    success
    token
    user {
      id
      username
      role
    }
  }
}

// Step 2: Use the token in subsequent requests
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// Step 3: Token is valid for 6 hours. Include it in the
//         Authorization header for protected endpoints

Default Credentials

The API comes with pre-configured test accounts:

Admin:   username: admin   password: password123   role: admin
Staff:   username: staff   password: password123   role: staff
User:    username: user    password: password123   role: user

Previous Next

Local Installation

Run the API directly on your machine. Requires C++ compiler, PostgreSQL, and required libraries.

Prerequisites

C++ compiler (g++)
PostgreSQL database
libpq-dev
libjwt-dev
libcurl-dev

Quick Setup

Clone and Build

git clone https://github.com/DghostNinja/graphql-bookstore-API.git
cd GraphQL-Bookstore
./build.sh

Run the Server

./bookstore-server

Server URLs

DOCS: http://localhost:4000
API Endpoint: http://localhost:4000/graphql

Previous Next

Docker Installation

Run the API in a Docker container. Easiest way - handles all dependencies automatically.

Quick Setup

Clone and Run

git clone https://github.com/DghostNinja/graphql-bookstore-API.git
cd GraphQL-Bookstore
docker-compose up --build

Server URLs

DOCS: http://localhost:4000
API Endpoint: http://localhost:4000/graphql

Stop the Server

docker-compose down

Previous Next

Data Types & Schema

This section provides an overview of the GraphQL schema, including available data types and how to explore the API using introspection.

Main Data Types

The API defines several core types that represent the bookstore data model:

Book         - Represents a book in the catalog
  id, title, description, price, stockQuantity, categoryId, authorId

Author       - Represents a book author
  id, firstName, lastName, biography

User         - Represents a registered user
  id, username, email, role, firstName, lastName, phone, city

Order        - Represents a customer order
  id, orderNumber, userId, status, totalAmount, createdAt, items

OrderItem   - Represents an item in an order
  id, bookId, quantity, price

Cart         - Represents a shopping cart
  id, userId, items, subtotal, tax, discount, total

CartItem     - Represents an item in the cart
  id, bookId, quantity, price

Review       - Represents a book review
  id, bookId, userId, rating, comment, createdAt

Webhook      - Represents a webhook subscription
  id, userId, url, events, secret, isActive

Field Selection

GraphQL allows you to request only the specific fields you need. This reduces response size and improves performance.

Request All Fields

query {
  books {
    id
    title
    description
    price
    stockQuantity
    author {
      firstName
      lastName
    }
  }
}

Request Only Specific Fields

query {
  books {
    id
    title
    price
  }
}

Nested Field Selection

query {
  cart {
    id
    items {
      bookId
      quantity
      book {
        title
        price
      }
    }
  }
}

GraphQL Introspection

GraphQL supports introspection, allowing you to query the schema itself to discover available types, fields, and operations.

Query All Types

query {
  __schema {
    types {
      name
      kind
      description
    }
  }
}

Query Specific Type

query {
  __type(name: "Book") {
    name
    kind
    fields {
      name
      type {
        name
        kind
      }
    }
  }
}

Query All Queries & Mutations

query {
  __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
  }
}

Query Type Fields

query {
  __schema {
    queryType {
      fields {
        name
        description
        type {
          name
        }
        args {
          name
          type {
            name
          }
        }
      }
    }
  }
}

Common Filters & Arguments

Many queries accept arguments to filter, sort, or limit results:

books(search: String, categoryId: Int, limit: Int)
  - search: Filter by title or description
  - categoryId: Filter by category
  - limit: Limit number of results

book(id: Int!)
  - id: Required - the book ID

_searchAdvanced(query: String!)
  - query: Search query string

bookReviews(bookId: Int!)
  - bookId: Required - filter reviews by book

Previous Next

Available Queries

Queries are used to fetch data from the API. Some queries require authentication.

Public Queries (No Auth Required)

QueryNo Auth

books

List all books with optional search and category filters

{ books { id title price } }

QueryNo Auth

book

Get details of a specific book by ID

{ book(id: 1) { id title price author { firstName } } }

QueryNo Auth

bookReviews

Get reviews for a specific book

{ bookReviews(bookId: 1) { id rating comment } }

Protected Queries (Auth Required)

QueryAuth

Get current authenticated user information

{ me { id username role email } }

QueryAuth

cart

Get current user's shopping cart

{ cart { id items { bookId quantity } totalAmount } }

QueryAuth

orders

Get current user's order history

{ orders { id orderNumber status totalAmount } }

QueryAuth

myReviews

Get reviews written by current user

{ myReviews { id rating comment bookId } }

QueryAuth

webhooks

Get current user's registered webhooks

{ webhooks { id url events isActive } }

Previous Next

Available Mutations

Mutations are used to modify data. Most mutations require authentication.

Authentication Mutations (No Auth Required)

MutationNo Auth

Create a new user account

mutation { register(username: "user", firstName: "John", lastName: "Doe", password: "pass123") { success token } }

MutationNo Auth

Authenticate and get JWT token

MutationNo Auth

logout

Logout (discard JWT token client-side)

mutation { logout { success } }

Cart & Order Mutations (Auth Required)

MutationAuth

addToCart

Add a book to shopping cart

mutation { addToCart(bookId: 1, quantity: 2) { success } }

MutationAuth

removeFromCart

Remove a book from shopping cart

mutation { removeFromCart(bookId: 1) { success } }

MutationAuth

applyCoupon

Apply a coupon code to cart

mutation { applyCoupon(code: "DISCOUNT10") { success discount } }

MutationAuth

createOrder

Create an order from cart (without payment)

mutation { createOrder { success orderId } }

MutationAuth

cancelOrder

Cancel an order

mutation { cancelOrder(orderId: "uuid-here") { success } }

User & Review Mutations (Auth Required)

MutationAuth

updateProfile

Update user profile information

mutation { updateProfile(phone: "1234567890", city: "NYC") { success } }

MutationAuth

createReview

Create a review for a book

mutation { createReview(bookId: 1, rating: 5, comment: "Great book!") { success } }

MutationAuth

deleteReview

Delete a review

mutation { deleteReview(reviewId: 1) { success } }

Webhook Mutations (Auth Required)

MutationAuth

registerWebhook

mutation { registerWebhook(url: "https://example.com/webhook", events: ["order.created"]) { success } }

MutationAuth

testWebhook

Test a registered webhook

mutation { testWebhook(webhookId: "uuid-here") { success } }

Previous Next

Security Considerations

This API contains various endpoints that may exhibit unexpected behavior under certain conditions:
• Authentication - Response times may vary
• Data Access - Some endpoints may allow broader data access
• Input Processing - Various input fields are processed differently
• Batch Operations - Multiple operations may behave unexpectedly
• XML Handling - Some endpoints accept XML payloads
• Debug Endpoints - Internal information may be exposed

Previous Next

MCP Server - AI/LLM Integration

The Bookstore API includes an MCP (Model Context Protocol) server that exposes all API operations as tools for AI and LLM models. This enables AI assistants to interact with the Bookstore API natively.

Quick Installation

# Navigate to MCP directory and install
cd mcp
npm install

Usage

Local Development:

# Start the Bookstore API server (from project root)
./bookstore-server

# In another terminal, start MCP server
cd mcp
npm start

Production (Live API):

cd mcp
API_URL=https://api.graphqlbook.org/graphql npm start

Available MCP Tools

The MCP server exposes 25 tools organized by category:

Authentication

bookstore_login
bookstore_register
bookstore_me

Books

bookstore_books
bookstore_book
bookstore_search

Cart

bookstore_cart
bookstore_add_to_cart
bookstore_remove_from_cart

Orders

bookstore_orders
bookstore_create_order
bookstore_purchase_cart
bookstore_cancel_order

Reviews

bookstore_create_review
bookstore_delete_review
bookstore_book_reviews
bookstore_my_reviews

Other

bookstore_update_profile
bookstore_apply_coupon
bookstore_webhooks
bookstore_admin_stats

Claude Desktop Integration

Add the following to your Claude Desktop config file:

{
  "mcpServers": {
    "bookstore": {
      "command": "node",
      "args": ["/path/to/GraphQL-Bookstore/mcp/mcp_server.mjs"],
      "env": {
        "API_URL": "http://localhost:4000/graphql"
      }
    }
  }
}

For production, change API_URL to https://api.graphqlbook.org/graphql.

Environment Variables

Variable	Default	Description
API_URL	http://localhost:4000/graphql	Bookstore API endpoint

See mcp/README.md for detailed documentation.

Previous Next

Feedback & Comments

Have suggestions, found bugs, or want to share your experience? We'd love to hear from you! Your feedback helps improve this API.

Your Name

Your Comment

What is + ?

Previous Next