https://appsec.fyi/graphql.html Curated GraphQL resources from appsec.fyi en-us Thu, 23 Apr 2026 23:07:09 +0000 carl@chs.us (Carl Sampson) https://www.ameeba.com/blog/cve-2025-59845-csrf-vulnerability-in-apollo-studio-embeddable-explorer-embeddable-sandbox/ https://www.ameeba.com/blog/cve-2025-59845-csrf-vulnerability-in-apollo-studio-embeddable-explorer-embeddable-sandbox/ CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox GraphQL Wed, 22 Apr 2026 12:50:45 +0000 https://www.ameeba.com/blog/cve-2025-31496-graphql-query-vulnerability-in-apollo-compiler-leading-to-possible-denial-of-service/ https://www.ameeba.com/blog/cve-2025-31496-graphql-query-vulnerability-in-apollo-compiler-leading-to-possible-denial-of-service/ CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS GraphQL Wed, 22 Apr 2026 12:50:45 +0000 https://amannsharmaa.medium.com/the-16-hour-window-catching-a-graphql-authorization-flaw-575f6e5c1217 https://amannsharmaa.medium.com/the-16-hour-window-catching-a-graphql-authorization-flaw-575f6e5c1217 The 16-Hour Window: Catching a GraphQL Authorization Flaw GraphQL Wed, 22 Apr 2026 12:50:44 +0000 https://github.com/omar2535/GraphQLer https://github.com/omar2535/GraphQLer GraphQLer: Context-Aware GraphQL API Fuzzing Tool GraphQL Wed, 22 Apr 2026 12:50:43 +0000 https://checkmarx.com/blog/exploiting-graphql-query-depth/ https://checkmarx.com/blog/exploiting-graphql-query-depth/ Exploiting GraphQL Query Depth GraphQL Wed, 22 Apr 2026 12:50:42 +0000 https://www.praetorian.com/blog/exploiting-broken-authentication-control-graphql/ https://www.praetorian.com/blog/exploiting-broken-authentication-control-graphql/ Exploiting Broken Authentication Control in GraphQL GraphQL Wed, 22 Apr 2026 12:50:42 +0000 https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-attack/ https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching-attack/ Didn't Notice Your Rate Limiting: GraphQL Batching Attack GraphQL Wed, 22 Apr 2026 12:50:41 +0000 https://escape.tech/blog/graphql-batch-attacks-cause-dos/ https://escape.tech/blog/graphql-batch-attacks-cause-dos/ Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing GraphQL Wed, 22 Apr 2026 12:50:40 +0000 https://salt.security/blog/api-threat-research-graphql-authorization-flaws-in-financial-technology-platform https://salt.security/blog/api-threat-research-graphql-authorization-flaws-in-financial-technology-platform API Threat Research: GraphQL Authorization Flaws in a FinTech Platform GraphQL Wed, 22 Apr 2026 12:50:39 +0000 https://github.com/advisories/GHSA-75m2-jhh5-j5g2 https://github.com/advisories/GHSA-75m2-jhh5-j5g2 Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) GraphQL Wed, 22 Apr 2026 12:50:39 +0000 https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection PayloadsAllTheThings — GraphQL Injection GraphQL Sun, 19 Apr 2026 02:38:41 +0000 https://0xayub.gitbook.io/blog/approaching-graphql-end-points https://0xayub.gitbook.io/blog/approaching-graphql-end-points Approaching GraphQL End Points — Bug Bounty Notes GraphQL Sun, 19 Apr 2026 02:36:49 +0000 https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-dos-via-mutation-aliasing-in-graphql-account-recovery-phone-number-verification-api-hellokbit/ https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-dos-via-mutation-aliasing-in-graphql-account-recovery-phone-number-verification-api-hellokbit/ DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure GraphQL Sun, 19 Apr 2026 02:36:48 +0000 https://portswigger.net/web-security/learning-paths/graphql-api-vulnerabilities https://portswigger.net/web-security/learning-paths/graphql-api-vulnerabilities GraphQL API Vulnerabilities Learning Path — PortSwigger GraphQL Sun, 19 Apr 2026 02:21:36 +0000 https://escape.tech/blog/lessons-from-the-parse-server-vulnerability/ https://escape.tech/blog/lessons-from-the-parse-server-vulnerability/ GraphQL Introspection Security: Lessons from the Parse Server Vulnerability GraphQL Sun, 19 Apr 2026 02:21:35 +0000 https://www.vulncheck.com/advisories/hasura-graphql-local-file-read-via-sql-injection https://www.vulncheck.com/advisories/hasura-graphql-local-file-read-via-sql-injection Hasura GraphQL 1.3.3 Local File Read via SQL Injection GraphQL Fri, 17 Apr 2026 14:42:53 +0000 https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e Discovering GraphQL endpoints and SQLi vulnerabilities GraphQL Fri, 17 Apr 2026 14:42:52 +0000 https://hackerone.com/reports/435066 https://hackerone.com/reports/435066 HackerOne Report #435066: SQL injection in GraphQL endpoint GraphQL Fri, 17 Apr 2026 14:42:51 +0000 https://www.aikido.dev/blog/prisma-and-postgresql-vulnerable-to-nosql-injection https://www.aikido.dev/blog/prisma-and-postgresql-vulnerable-to-nosql-injection Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido) GraphQL Fri, 17 Apr 2026 14:42:50 +0000 https://escape.tech/blog/9-graphql-security-best-practices/ https://escape.tech/blog/9-graphql-security-best-practices/ GraphQL Security: 9 Best Practices to Protect Your API (Escape) GraphQL Fri, 17 Apr 2026 14:42:50 +0000 https://www.apollographql.com/blog/authorization-in-graphql https://www.apollographql.com/blog/authorization-in-graphql Authorization in GraphQL (Apollo) GraphQL Fri, 17 Apr 2026 14:42:49 +0000 https://www.apollographql.com/blog/9-ways-to-secure-your-graphql-api-security-checklist https://www.apollographql.com/blog/9-ways-to-secure-your-graphql-api-security-checklist 9 Ways To Secure your GraphQL API - Apollo Checklist GraphQL Fri, 17 Apr 2026 14:42:48 +0000 https://www.apollographql.com/blog/enforcing-graphql-security-best-practices-with-graphos https://www.apollographql.com/blog/enforcing-graphql-security-best-practices-with-graphos Enforcing GraphQL security best practices with GraphOS GraphQL Fri, 17 Apr 2026 14:42:47 +0000 https://www.apollographql.com/docs/apollo-server/security/authentication https://www.apollographql.com/docs/apollo-server/security/authentication Apollo Authentication and Authorization Docs GraphQL Fri, 17 Apr 2026 14:42:47 +0000 https://blog.logrocket.com/securing-graphql-api-using-rate-limits-and-depth-limits/ https://blog.logrocket.com/securing-graphql-api-using-rate-limits-and-depth-limits/ Securing GraphQL API endpoints using rate limits and depth limits (LogRocket) GraphQL Fri, 17 Apr 2026 14:42:07 +0000 https://escape.tech/blog/cyclic-queries-and-depth-limit/ https://escape.tech/blog/cyclic-queries-and-depth-limit/ Cyclic Queries and Depth Limiting (Escape) GraphQL Fri, 17 Apr 2026 14:42:07 +0000 https://1mirabbas.medium.com/idor-vulnerability-in-graphql-api-on-inmobi-com-2482e3dfccf0 https://1mirabbas.medium.com/idor-vulnerability-in-graphql-api-on-inmobi-com-2482e3dfccf0 IDOR Vulnerability In GraphQL Api On inmobi.com GraphQL Fri, 17 Apr 2026 14:42:06 +0000 https://medium.com/@M00xy/exploiting-graphql-a-complete-guide-for-bug-bounty-hunters-355fecb02eb0 https://medium.com/@M00xy/exploiting-graphql-a-complete-guide-for-bug-bounty-hunters-355fecb02eb0 Exploiting GraphQL: Complete Guide for Bug Bounty Hunters GraphQL Fri, 17 Apr 2026 14:42:05 +0000 https://bugbase.ai/blog/exploiting-graphql-for-fun-and-bounties https://bugbase.ai/blog/exploiting-graphql-for-fun-and-bounties Exploiting GraphQL for fun and bounties (BugBase) GraphQL Fri, 17 Apr 2026 14:42:04 +0000 https://medium.com/dsc-sastra-deemed-to-be-university/graphql-for-bug-bounty-48e669963d90 https://medium.com/dsc-sastra-deemed-to-be-university/graphql-for-bug-bounty-48e669963d90 GraphQL for Bug Bounty (Mudhalai Mr) GraphQL Fri, 17 Apr 2026 14:42:04 +0000 https://medium.com/bugbountywriteup/graphql-idor-leads-to-information-disclosure-175eb560170d https://medium.com/bugbountywriteup/graphql-idor-leads-to-information-disclosure-175eb560170d GraphQL IDOR leads to information disclosure (Eshan Singh) GraphQL Fri, 17 Apr 2026 14:42:03 +0000 https://medium.com/@maakthon/bug-bounty-findings-10-major-vulnerabilities-exposed-in-cloverleafs-application-bac-in-graphql-0ae1ee0eb4d5 https://medium.com/@maakthon/bug-bounty-findings-10-major-vulnerabilities-exposed-in-cloverleafs-application-bac-in-graphql-0ae1ee0eb4d5 Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf) GraphQL Fri, 17 Apr 2026 14:42:02 +0000 https://raxis.com/blog/exploiting-graphql/ https://raxis.com/blog/exploiting-graphql/ Exploiting GraphQL for Penetration Testing (Raxis) GraphQL Fri, 17 Apr 2026 14:42:01 +0000 https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL OWASP WSTG: Testing GraphQL GraphQL Fri, 17 Apr 2026 14:42:01 +0000 https://dev.to/cyberw1ng/exploiting-graphql-vulnerabilities-how-misconfigurations-can-lead-to-data-leaks-1dgp https://dev.to/cyberw1ng/exploiting-graphql-vulnerabilities-how-misconfigurations-can-lead-to-data-leaks-1dgp Exploiting GraphQL Vulnerabilities: Misconfig to Data Leaks GraphQL Fri, 17 Apr 2026 14:42:00 +0000 https://github.com/assetnote/batchql https://github.com/assetnote/batchql BatchQL: GraphQL Security Auditing for Batch Attacks GraphQL Thu, 16 Apr 2026 21:03:48 +0000 https://github.com/doyensec/inql https://github.com/doyensec/inql InQL: Advanced GraphQL Security Testing Burp Extension GraphQL Thu, 16 Apr 2026 21:03:47 +0000 https://fdzdev.medium.com/exploiting-csrf-in-graphql-applications-f262411588f7 https://fdzdev.medium.com/exploiting-csrf-in-graphql-applications-f262411588f7 Exploiting CSRF in GraphQL Applications GraphQL Thu, 16 Apr 2026 21:03:46 +0000 https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities https://0xn3va.gitbook.io/cheat-sheets/web-application/graphql-vulnerabilities GraphQL Vulnerabilities Cheat Sheet GraphQL Thu, 16 Apr 2026 21:03:46 +0000 https://www.assetnote.io/resources/research/exploiting-graphql https://www.assetnote.io/resources/research/exploiting-graphql Exploiting GraphQL (Assetnote Research) GraphQL Thu, 16 Apr 2026 21:03:45 +0000 https://escape.tech/blog/pentest101/ https://escape.tech/blog/pentest101/ GraphQL Discovery: Pentesting 101 Guide GraphQL Thu, 16 Apr 2026 21:03:44 +0000 https://medium.com/@m14r41/graphql-pentesting-a-beginners-guide-to-advanced-08c29bf82979 https://medium.com/@m14r41/graphql-pentesting-a-beginners-guide-to-advanced-08c29bf82979 GraphQL Pentesting: Beginner's Guide to Advanced GraphQL Thu, 16 Apr 2026 21:03:44 +0000 https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready https://wundergraph.com/blog/the_complete_graphql_security_guide_fixing_the_13_most_common_graphql_vulnerabilities_to_make_your_api_production_ready The Complete GraphQL Security Guide: Fixing the 13 Most Common Vulnerabilities GraphQL Thu, 16 Apr 2026 21:03:43 +0000 https://infosecwriteups.com/abusing-graphql-introspection-a-gateway-for-recon-and-exploitation-ab5440ee6ade https://infosecwriteups.com/abusing-graphql-introspection-a-gateway-for-recon-and-exploitation-ab5440ee6ade Abusing GraphQL Introspection: A Gateway for Recon and Exploitation GraphQL Thu, 16 Apr 2026 21:03:42 +0000 https://kizerh.medium.com/exploiting-graphql-a-full-spectrum-security-assessment-covering-introspection-injection-and-560f49a44f36 https://kizerh.medium.com/exploiting-graphql-a-full-spectrum-security-assessment-covering-introspection-injection-and-560f49a44f36 Exploiting GraphQL: A Full-Spectrum Security Assessment GraphQL Thu, 16 Apr 2026 21:03:41 +0000 https://medium.com/@aniketdas07770/common-attacks-on-rest-apis-and-graphql-apis-with-tools-learning-resources-3c23c364467b https://medium.com/@aniketdas07770/common-attacks-on-rest-apis-and-graphql-apis-with-tools-learning-resources-3c23c364467b Common Attacks on REST APIs and GraphQL APIs GraphQL Fri, 10 Apr 2026 01:55:43 +0000 https://medium.com/@cybersec_cynoxsecurity/graphql-api-security-common-vulnerabilities-and-exploits-8efa8e463657 https://medium.com/@cybersec_cynoxsecurity/graphql-api-security-common-vulnerabilities-and-exploits-8efa8e463657 GraphQL API Security: Common Vulnerabilities and Exploits GraphQL Fri, 10 Apr 2026 01:55:42 +0000 https://www.redteamworldwide.com/graphql-api-security-testing/ https://www.redteamworldwide.com/graphql-api-security-testing/ GraphQL Security Testing: Introspection Abuse, Injection, and DoS GraphQL Fri, 10 Apr 2026 01:55:41 +0000 https://blog.arcjet.com/hacking-and-securing-graphql/ https://blog.arcjet.com/hacking-and-securing-graphql/ Hacking (and Securing) GraphQL GraphQL Fri, 10 Apr 2026 01:55:40 +0000 https://portswigger.net/web-security/graphql https://portswigger.net/web-security/graphql GraphQL API Vulnerabilities - PortSwigger GraphQL Fri, 10 Apr 2026 01:43:18 +0000