GraphQL
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. It gives clients the power to ask for exactly what they need, makes it easier to evolve APIs over time, and enables powerful developer tools.
From a security perspective, GraphQL introduces a unique attack surface that differs significantly from traditional REST APIs. Introspection queries can expose the entire schema — every type, field, and relationship — giving attackers a detailed map of the application's data model. Deeply nested queries enable denial-of-service through resource exhaustion, while batch queries can bypass rate limiting designed for REST endpoints.
Common GraphQL security issues include broken authorization on field-level resolvers, information disclosure through verbose error messages, and injection vulnerabilities in custom directives or filters. Many applications disable introspection in production but forget to restrict it in staging environments, or expose schema details through autocomplete suggestions.
Testing GraphQL requires specialized tools and techniques. Unlike REST APIs where endpoints are enumerable, GraphQL consolidates everything behind a single endpoint, requiring schema-aware fuzzing and query manipulation.
This page collects security research, testing methodologies, and real-world vulnerabilities specific to GraphQL APIs — from introspection abuse to authorization bypasses and injection attacks.
From graphql.org
| Date Added | Link | Excerpt |
|---|---|---|
| 2026-04-22 2026 | CVE-2025-59845: CSRF Vulnerability in Apollo Studio Embeddable Explorer and Sandbox news | Writeup of CVE-2025-59845, a high-severity CSRF vulnerability in Apollo Studio Embeddable Explorer and Sandbox. Exploiting a lack of origin validation for `window.postMessage` events, attackers can trick user browsers into executing arbitrary GraphQL queries against vulnerable servers, potentially leading to system compromise or data leakage. Organizations using affected versions prior to Apollo Sandbox 2.7.2 and Apollo Explorer 3.7.3 should apply vendor patches immediately. |
| 2026-04-22 2026 | CVE-2025-31496: GraphQL Query Vulnerability in Apollo Compiler Leading to DoS news | Writeup of CVE-2025-31496, a denial-of-service vulnerability in the Apollo Compiler affecting versions prior to 1.27.0. The exploit leverages a flaw in how named fragments are handled during query validation, leading to exponential resource consumption when fragments are deeply nested and reused. Attackers can craft specific GraphQL queries to trigger this vulnerability, potentially causing system compromise or data leakage. |
| 2026-04-22 2026 | The 16-Hour Window: Catching a GraphQL Authorization Flaw intermediate | The 16-Hour Window: Catching a GraphQL Authorization Flaw |
| 2026-04-22 2026 | GraphQLer: Context-Aware GraphQL API Fuzzing Tool intermediate | Tool for context-aware GraphQL API fuzzing. GraphQLer automatically reads API schemas, generates valid queries and mutations based on the schema and object dependencies, and tracks resources for reconnaissance. It can detect insecure direct object reference (IDOR) vulnerabilities using dual-profile chain replay and offers an interactive TUI for ease of use, with optional proxy support for Burp Suite or OWASP ZAP. |
| 2026-04-22 2026 | Exploiting GraphQL Query Depth intermediate | Exploiting GraphQL Query Depth → checkmarx.com |
| 2026-04-22 2026 | Exploiting Broken Authentication Control in GraphQL intermediate | Writeup of a privilege escalation vulnerability in a financial application's GraphQL API, demonstrating how broken authentication and authorization controls allowed an attacker to gain administrative privileges. The attack involved enumerating administrative usernames using Burp Suite Intruder and then substituting an authorized username into a `brassCheckAccess` query. Recommendations include validating usernames against requesting user session tokens and implementing directive constraints and middleware for input sanitization. |
| 2026-04-22 2026 | Didn't Notice Your Rate Limiting: GraphQL Batching Attack intermediate | Didn't Notice Your Rate Limiting: GraphQL Batching Attack → checkmarx.com |
| 2026-04-22 2026 | Avoid GraphQL Denial-of-Service Attacks through Batching and Aliasing intermediate | Library for securing GraphQL APIs, addressing denial-of-service (DoS) attacks and credential brute-forcing enabled by batching and aliases. Batch attacks bypass traditional rate limiting by executing numerous operations within a single API call, overwhelming servers and facilitating unauthorized access. This library, including the open-source GraphQL Armor plugin and a specialized scanner, helps identify and mitigate these vulnerabilities by enforcing query validation and limiting alias usage. → escape.tech |
| 2026-04-22 2026 | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform intermediate | API Threat Research: GraphQL Authorization Flaws in a FinTech Platform |
| 2026-04-22 2026 | Apollo Router Query Planner Excessive Resource Consumption via Named Fragment Expansion (CVE-2025-32034) news | Library patch addressing CVE-2025-32034 in Apollo Router, which allowed excessive resource consumption via named fragment expansion during query planning. The vulnerability stemmed from fragments being expanded exponentially with deep nesting. The fix introduces a Query Fragment Expansion Limit metric to cap computation, with remediation available in apollo-router versions 1.61.2 and 2.1.1. A workaround involves safelisting queries. |
| 2026-04-19 2026 | PayloadsAllTheThings — GraphQL Injection intermediate | Library for GraphQL injection attacks, detailing introspection queries and tools like `GraphQLmap`, `inql`, and `CrackQL`. It covers techniques for enumerating schema details, identifying entry points to specific types using `graphql-path-enum`, and discovering API endpoints like `/graphql` and `/graphiql`. The library also provides strategies for handling disabled introspection and brute-forcing keywords with wordlists. |
| 2026-04-19 2026 | Approaching GraphQL End Points — Bug Bounty Notes intermediate | Approaching GraphQL End Points — Bug Bounty Notes |
| 2026-04-19 2026 | DoS via Mutation Aliasing in GraphQL — HackerOne Disclosure intermediate | Writeup detailing a Denial-of-Service (DoS) vulnerability in a HackerOne-reported GraphQL API, specifically targeting account recovery phone number verification. The flaw arises from mutation aliasing, allowing a single request to execute the `verifyAccountRecoveryPhoneNumber` mutation multiple times, leading to server-side resource exhaustion and service degradation for legitimate users. Recommendations include implementing hard caps on mutation aliases and per-request quotas for expensive operations. |
| 2026-04-19 2026 | GraphQL API Vulnerabilities Learning Path — PortSwigger beginner | GraphQL API Vulnerabilities Learning Path — PortSwigger → portswigger.net |
| 2026-04-19 2026 | GraphQL Introspection Security: Lessons from the Parse Server Vulnerability intermediate | Reference on GraphQL introspection security, lessons learned from CVE-2025-53364 in Parse Server, highlights that disabling introspection is not a comprehensive solution. The vulnerability allowed public schema access, aiding targeted attacks. Secure introspection through authentication and RBAC, avoiding public exposure. While useful for development and public APIs, introspection can be bypassed via field suggestion or traffic analysis. Consider disabling it for private APIs if not needed, but otherwise focus on controlled access and automated testing with tools like Escape. → escape.tech |
| 2026-04-17 2026 | Hasura GraphQL 1.3.3 Local File Read via SQL Injection intermediate | Advisory detailing a local file read vulnerability in Hasura GraphQL 1.3.3, exploitable via SQL injection. Attackers can leverage the `pg_read_file()` function through crafted queries on the query endpoint to access arbitrary files on the server, impacting systems running this version. |
| 2026-04-17 2026 | Discovering GraphQL endpoints and SQLi vulnerabilities intermediate | Discovering GraphQL endpoints and SQLi vulnerabilities |
| 2026-04-17 2026 | HackerOne Report #435066: SQL injection in GraphQL endpoint news | HackerOne Report #435066: SQL injection in GraphQL endpoint → hackerone.com |
| 2026-04-17 2026 | Prisma and PostgreSQL vulnerable to NoSQL injection? (Aikido) intermediate | Library vulnerability analysis demonstrating how Prisma ORM, even with PostgreSQL, is susceptible to operator injection, commonly known as NoSQL injection. This occurs when user input is passed to query functions supporting string-based operators, such as `findFirst`, `findMany`, `updateMany`, and `deleteMany`. The analysis highlights exploits and recommends prevention techniques including casting user input to primitive data types, implementing robust server-side validation with libraries like Zod, and keeping ORMs like Prisma and Sequelize updated to benefit from security fixes. → aikido.dev |
| 2026-04-17 2026 | GraphQL Security: 9 Best Practices to Protect Your API (Escape) beginner | Library for protecting GraphQL APIs from common vulnerabilities. It details techniques for disabling introspection, implementing robust authorization and authentication at the resolver level, and mitigating denial-of-service attacks through query whitelisting, depth limiting, and complexity analysis. Examples include using Apollo Server with `introspection: process.env.NODE_ENV !== 'production'`, implementing `authMiddleware`, and utilizing libraries like `graphql-depth-limit`. → escape.tech |
| 2026-04-17 2026 | Authorization in GraphQL (Apollo) intermediate | Reference on authorization in GraphQL via Apollo, covering authentication versus authorization, obtaining user data from requests, schema-level authorization by throwing errors in the context function, and granular authorization within resolvers by checking user roles before returning data or calling data retrieval functions. |
| 2026-04-17 2026 | 9 Ways To Secure your GraphQL API - Apollo Checklist beginner | Checklist of 9 security measures for GraphQL APIs, detailing strategies for authentication and authorization using JWTs, reducing attack surface area by limiting query depth with `graphql-depth-limit`, paginating list fields, improving input validation and sanitization, implementing timeouts, rate limiting, query cost analysis, and safelisting operations via automatic persisted queries. It also covers limiting API discoverability by disabling introspection in production. |
| 2026-04-17 2026 | Enforcing GraphQL security best practices with GraphOS beginner | Library for enforcing GraphQL security best practices with GraphOS. This library enables centralized authorization in the router, safelisting registered operations to reduce surface area, and limiting operation complexity via depth, height, aliases, and root fields. It leverages directives like `@requiresScopes` and `@authenticated` for declarative access control, and supports JWT authentication for adding claims to request contexts. |
| 2026-04-17 2026 | Apollo Authentication and Authorization Docs beginner | Library for implementing authentication and authorization in GraphQL APIs, demonstrating how to extract user tokens from HTTP headers, populate the `contextValue` with user information, and implement API-wide or field-level access control using roles. The documentation covers techniques for denying access via `GraphQLError` and conditionally returning data within resolvers based on user authentication status. |
| 2026-04-17 2026 | Securing GraphQL API endpoints using rate limits and depth limits (LogRocket) intermediate | Library implementing rate and depth limiting for Node.js GraphQL APIs. This library leverages Redis for storing rate-limiting data and offers directives to apply limits directly within your GraphQL schema. It supports identifying clients by IP address or other unique identifiers, customizes error messages when limits are exceeded, and integrates with GraphQL servers like GraphQL Yoga and Apollo. → blog.logrocket.com |
| 2026-04-17 2026 | Cyclic Queries and Depth Limiting (Escape) intermediate | Library for mitigating denial-of-service attacks against GraphQL APIs by limiting query depth and execution time. It details how malicious queries can exploit cyclic relationships in graph databases, leading to performance degradation and resource exhaustion. The library, through tools like `graphql-depth-limit` for Apollo, Express GraphQL, and GraphQL Node, and configuration options for Hasura Cloud and Graphene, enables developers to set maximum query depths and timeouts, ensuring application stability while maintaining usability. → escape.tech |
| 2026-04-17 2026 | IDOR Vulnerability In GraphQL Api On inmobi.com intermediate | IDOR Vulnerability In GraphQL Api On inmobi.com |
| 2026-04-17 2026 | Exploiting GraphQL: Complete Guide for Bug Bounty Hunters beginner | Exploiting GraphQL: Complete Guide for Bug Bounty Hunters |
| 2026-04-17 2026 | Exploiting GraphQL for fun and bounties (BugBase) beginner | Exploiting GraphQL for fun and bounties (BugBase) |
| 2026-04-17 2026 | GraphQL for Bug Bounty (Mudhalai Mr) beginner | GraphQL for Bug Bounty (Mudhalai Mr) |
| 2026-04-17 2026 | GraphQL IDOR leads to information disclosure (Eshan Singh) intermediate | GraphQL IDOR leads to information disclosure (Eshan Singh) |
| 2026-04-17 2026 | Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf) intermediate | Bug Bounty: BAC in GraphQL (10 Major Vulns - Cloverleaf) |
| 2026-04-17 2026 | Exploiting GraphQL for Penetration Testing (Raxis) intermediate | Writeup on exploiting GraphQL introspection for penetration testing, detailing how this feature, intended for development, can expose sensitive schema information in production. It highlights common vulnerabilities like SQL injection and batch attacks, but focuses on introspection as an easy attack vector. The article demonstrates using tools like Burp Suite with the GraphQL Raider plugin and CURL to query schema details and discover fields such as "allUsers." It also notes how descriptive error messages can aid attackers, and advises disabling introspection in production environments to mitigate these risks. |
| 2026-04-17 2026 | OWASP WSTG: Testing GraphQL beginner | Library detailing OWASP Web Security Testing Guide (WSTG) v4.2 procedures for testing GraphQL APIs. It covers introspection queries, authorization testing, and generic API attacks like SQL injection, using tools such as GraphQL Voyager, GraphiQL, and GraphQL Playground to assess misconfigurations and identify vulnerabilities on systems like the poc-graphql application. → owasp.org |
| 2026-04-17 2026 | Exploiting GraphQL Vulnerabilities: Misconfig to Data Leaks intermediate | Library for identifying and exploiting GraphQL misconfigurations. It details how improper setups can lead to unauthorized data access, sensitive information disclosure, and mass enumeration of private data, referencing a real-world bug bounty discovery. The entry provides insight into how attackers leverage these vulnerabilities and offers guidance on securing GraphQL APIs against such threats. |
| 2026-04-16 2026 | BatchQL: GraphQL Security Auditing for Batch Attacks intermediate | Tool for auditing GraphQL security via batch attacks, BatchQL facilitates performing numerous queries and mutations in a single request. It aids in discovering introspection query support, schema suggestions, and potential CSRF vulnerabilities. The script supports JSON list-based batching attacks, allowing for testing against functionalities like password resets to bypass rate limiting. BatchQL can utilize embedded variables or provided JSON input for attack scenarios. |
| 2026-04-16 2026 | InQL: Advanced GraphQL Security Testing Burp Extension intermediate | Library for advanced GraphQL security testing, InQL integrates with Burp Suite. It offers a scanner for auto-generating queries and mutations, customizable scans with 'Points of Interest' analysis for vulnerability detection, and circular reference detection. InQL also supports batch queries, custom headers, engine fingerprinting even when introspection is disabled, and interactive schema visualization through GraphiQL and GraphQL Voyager. |
| 2026-04-16 2026 | Exploiting CSRF in GraphQL Applications intermediate | Exploiting CSRF in GraphQL Applications |
| 2026-04-16 2026 | GraphQL Vulnerabilities Cheat Sheet beginner | GraphQL Vulnerabilities Cheat Sheet → 0xn3va.gitbook.io |
| 2026-04-16 2026 | Exploiting GraphQL (Assetnote Research) intermediate | Tool for auditing GraphQL APIs, BatchQL, detects introspection, schema suggestions, and CSRF. It enables JSON list-based batching attacks to bypass rate limiting on functionalities like password resets. Techniques also cover query name-based batching and leveraging tools like Clairvoyance to recover schemas when introspection is disabled. → assetnote.io |
| 2026-04-16 2026 | GraphQL Discovery: Pentesting 101 Guide beginner | Guide on GraphQL discovery for penetration testing, this installment of the "Pentesting GraphQL 101" series details techniques for understanding endpoint limits, determining verbosity, and fetching API schema information through methods like basic queries, mutation checks for CSRF, aliasing, and character limits. It highlights the importance of query timing and error analysis, recommending tools like Altair for interaction and leveraging introspection or "did you mean" suggestions for schema discovery, referencing the `awesome-graphql-security` list for resources. → escape.tech |
| 2026-04-16 2026 | GraphQL Pentesting: Beginner's Guide to Advanced beginner | GraphQL Pentesting: Beginner's Guide to Advanced |
| 2026-04-16 2026 | The Complete GraphQL Security Guide: Fixing the 13 Most Common Vulnerabilities beginner | Guide detailing 13 common GraphQL vulnerabilities, including parser bugs, normalization issues, and execution flaws leading to denial-of-service attacks. It emphasizes the complexity of GraphQL parsing and validation compared to URLs, highlighting the potential for exploitation due to the inherent flexibility of GraphQL operations and the lack of robust, widely adopted testing frameworks like the defunct CATS project. The guide stresses the need for rigorous testing of GraphQL libraries and frameworks to mitigate risks. |
| 2026-04-16 2026 | Abusing GraphQL Introspection: A Gateway for Recon and Exploitation intermediate | Abusing GraphQL Introspection: A Gateway for Recon and Exploitation → infosecwriteups.com |
| 2026-04-16 2026 | Exploiting GraphQL: A Full-Spectrum Security Assessment intermediate | Exploiting GraphQL: A Full-Spectrum Security Assessment |
| 2026-04-10 2026 | Common Attacks on REST APIs and GraphQL APIs beginner API Sec | Common Attacks on REST APIs and GraphQL APIs |
| 2026-04-10 2026 | GraphQL API Security: Common Vulnerabilities and Exploits beginner API Sec | GraphQL API Security: Common Vulnerabilities and Exploits |
| 2026-04-10 2026 | GraphQL Security Testing: Introspection Abuse, Injection, and DoS intermediate | Library for precise GraphQL API penetration testing, focusing on a phase-based methodology. It covers schema enumeration via introspection, including using GraphQL Voyager for visualization and Clairvoyance to reconstruct schemas when introspection is disabled. The guide details injection vulnerability testing, specifically for SQL/NoSQL injection in arguments, SSRF via URL-accepting fields, and stored XSS in mutations, recommending tools like Burp Suite and the InQL extension. It also addresses denial-of-service risks through nested query depth attacks and alias-based duplication. |
| 2026-04-10 2026 | Hacking (and Securing) GraphQL beginner | Library securing GraphQL APIs against common attack vectors like SQL injection, XSS, and denial-of-service (DoS) via query batching, aliasing, duplication, and circular queries. It details how introspection queries can reveal the API schema and emphasizes the importance of input sanitization for mutations and queries to prevent injection attacks. The library also highlights Arcjet's role in analyzing requests within route handlers or middleware for enhanced security. |
| 2026-04-10 2026 | GraphQL API Vulnerabilities - PortSwigger beginner API Sec | Library for testing GraphQL APIs, detailing common vulnerabilities like introspection enablement and insecure direct object references (IDORs). It covers techniques for discovering GraphQL endpoints, including universal queries and common endpoint names, and demonstrates how to exploit unsanitized arguments to access unauthorized data. The library also explains how to use introspection queries to gather schema information and identifies methods for probing and running full introspection queries against vulnerable endpoints. → portswigger.net |
| 2026-04-10 2026 | GraphQL Attacks and Vulnerabilities beginner | Library for understanding GraphQL security, covering common attacks like introspection, GraphiQL exploitation, and Denial of Service (DoS) through batching, alias overloading, and field duplication. It explains how GraphQL's flexibility can be leveraged by attackers to gather information or overwhelm servers, highlighting the importance of securing these APIs against both GraphQL-specific and traditional web application threats. |
| 2026-04-10 2026 | How a GraphQL Bug Resulted in Authentication Bypass intermediate | Library detailing an authentication bypass vulnerability in an e-commerce application's GraphQL API. The article explores how attackers can abuse GraphQL introspection and mutations, such as `Register` and `CreateAdminUser`, to gain unauthorized administrative access. It highlights the importance of proper access control for GraphQL endpoints and discusses techniques for discovering these flaws, including schema introspection and authorization checks, as explained by researcher J. Francisco Bolivar. → hackerone.com |
| 2026-04-10 2026 | Top GraphQL Security Vulnerabilities: Analyzing 1,500+ Endpoints intermediate | Top GraphQL Security Vulnerabilities: Analyzing 1,500+ Endpoints |
| 2026-04-10 2026 | GraphQL API Security Risks Every Developer Should Know beginner | Library for GraphQL API security, focusing on mitigating risks like excessive query complexity, data over-exposure, injection attacks (SQL, command, prompt), Insecure Direct Object Reference (IDOR), denial-of-service (DoS) via query amplification and complexity bombs, schema introspection misuse, and Cross-Site Request Forgery (CSRF) on mutation operations. It recommends best practices such as field-level authorization, query whitelisting, depth limits, and query cost analysis to protect against these vulnerabilities. → wiz.io |
| 2026-04-10 2026 | GraphQL API Vulnerabilities and Common Attacks beginner | Library detailing GraphQL API vulnerabilities, including introspection attacks, excessive error suggestions, denial of service via batching and alias overloading, and injection and broken authentication/authorization. It highlights the potential for attackers to exploit GraphQL's flexibility, schema introspection, and tools like GraphiQL for information gathering and disruption. Recommendations include disabling introspection and GraphiQL in production, masking verbose errors, and limiting or disabling query batching to mitigate these risks. → imperva.com |
| 2026-04-10 2026 | Exploiting Broken Access Control on GraphQL intermediate | Writeup detailing the exploitation of broken access control and IDOR vulnerabilities in GraphQL. It explains how to leverage GraphQL introspection, aided by tools like Burp's InQL extension and GraphQL Voyager, to identify and access sensitive data from other tenants. The writeup outlines a practical scenario involving pivoting from a project's assigned roles to another company's user data, emphasizing the need for robust authentication, authorization, and role-based access controls to prevent such breaches. → vaadata.com |
| 2026-04-10 2026 | GraphQL Security: 7 Common Vulnerabilities and Mitigations beginner | Guide detailing seven common GraphQL vulnerabilities including introspection attacks, GraphiQL exploitation, excessive error suggestions, denial-of-service attacks (batching, alias overloading, field duplication, directive overloading, circular queries, pagination bypass), injection attacks (SQL, XSS, OS command), server-side request forgery (SSRF), and broken authentication/authorization. It outlines mitigations like disabling introspection, limiting verbose errors, implementing query complexity limits, validating/sanitizing inputs, using parameterized queries, and enforcing fine-grained access controls. |
| 2026-04-10 2026 | GraphQL Security Flaws and Exploitation intermediate | GraphQL Security Flaws and Exploitation → infosecwriteups.com |
| 2026-04-06 2026 | GraphQL Security Vulnerabilities Guide - SecPortal beginner | GraphQL Security Vulnerabilities Guide - SecPortal |
| 2026-04-06 2026 | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass intermediate IDOR | GraphQL Security: How I Found and Exploited Critical IDOR and Authorization Bypass → infosecwriteups.com |
| 2026-04-03 2026 | GraphQL Security Testing Guide (2026) beginner | Library for continuous GraphQL security testing, essential for enterprises due to flexible, client-defined queries enabling excessive data exposure, broken authorization, and denial-of-service risks. It addresses the visibility gap created by GraphQL's single endpoint and dynamic structures, which traditional API security tools struggle to detect. The library helps validate authentication, authorization, query complexity, and data exposure, assessing runtime behavior beyond static controls to identify vulnerabilities like excessive data exposure and broken object-level authorization before exploitation. |
| 2026-04-03 2026 | GraphQL Security Complete Guide | Payload Playground beginner | GraphQL Security Complete Guide | Payload Playground |
| 2026-04-03 2026 | GraphQL Vulnerabilities and Common Attacks Seen in the Wild | Imperva beginner | Library for identifying GraphQL vulnerabilities and common attacks seen in the wild. It covers common attack vectors such as introspection abuse, denial-of-service, and unauthorized data exposure, offering insights into how these vulnerabilities are exploited in real-world scenarios. The library aims to aid developers and security professionals in understanding and mitigating risks associated with GraphQL implementations. → imperva.com |
| 2026-04-03 2026 | GraphQL API Vulnerabilities, Common Attacks & Security Tips beginner | Library detailing GraphQL API security, covering its structure, common attacks, and defensive measures. It explains the schema, object types, queries, and mutations, then delves into pentesting methodologies and tools. Key areas include endpoint discovery using fuzzing and wordlists like Seclists, schema enumeration, and leveraging GraphQL's introspection feature to reveal API structure. The resource highlights vulnerabilities inherent to APIs while emphasizing GraphQL-specific attack vectors. → vaadata.com |
| 2026-04-03 2026 | Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHack intermediate | Library for identifying and exploiting GraphQL vulnerabilities, this guide details techniques such as abusing introspection queries and field suggestions, and performing mutation manipulation and batching attacks. It covers common vulnerabilities like information disclosure, IDOR, and improper access control, recommending tools such as GraphQL Voyager, InQL, Clairvoyance, and GraphQLmap for both introspection and fuzzing attacks when introspection is disabled. → yeswehack.com |
| 2026-04-03 2026 | PayloadsAllTheThings - GraphQL Injection intermediate | Library detailing GraphQL injection techniques, including schema dumping via introspection queries and tools like GraphQLmap, inql, and clairvoyancex for pentesting. It covers common endpoint paths, HTTP method usage (GET/POST), error message analysis, and schema traversal for identifying access paths to types like User and Admin, utilizing resources such as the graphql-threat-matrix and Escape-Technologies/graphql-wordlist. |
| 2026-04-03 2026 | GraphQL | HackTricks beginner | Reference detailing GraphQL security vulnerabilities and enumeration techniques. It covers discovering GraphQL endpoints via common paths and identifying the engine with tools like `graphw00f`. The document explains how to leverage introspection with queries like `{__typename}` and `{__schema}` to map out schemas, identify data types, and extract sensitive information from exposed `flags` or `users` fields, recommending JSON for POST requests to prevent CSRF. → book.hacktricks.xyz |
| 2026-04-03 2026 | GraphQL Cheat Sheet | OWASP beginner | Cheatsheet from OWASP detailing security considerations for GraphQL APIs. It addresses common vulnerabilities like injection, DoS, and authorization abuse. The guide emphasizes strict input validation, disabling insecure defaults (introspection, excessive errors), and implementing query depth and amount limiting. It also covers preventing DoS through timeouts, query cost analysis, and rate limiting, with specific recommendations and examples for various implementations, including graphql-java and JavaScript. → cheatsheetseries.owasp.org |
| 2026-04-03 2026 | GraphQL Security from a Pentester's Perspective | AFINE intermediate | Library for identifying and exploiting GraphQL vulnerabilities, detailing techniques for detecting endpoints and abusing introspection to enumerate schemas. The resource examines common weaknesses such as GraphQL Injection, DoS attacks via batching or recursive queries, and authorization flaws, providing example payloads and tools like Burp Suite extensions, GraphQLmap, InQL, and GraphQL Raider for testing Apollo Server, Hasura, and Graphene implementations. |
| 2026-03-25 2026 | Escape-Technologies/awesome-graphql-security: A curated list of awesome GraphQL Security frameworks, libraries, software and resources beginner API Sec | Library of curated GraphQL security resources, including frameworks like GraphQL Shield and GraphQL Armor, testing tools such as Escape, GraphQL Cop, InQL (Burp Extension), and Graphw00f, clients like Postman and Altair, and educational materials covering vulnerabilities like IDOR, CSRF, SQL Injection, and cyclic queries. This list also features guides on access control, schema validation with GraphQL Inspector and GraphQL Visualizer, and resources for discovering GraphQL endpoints. |
| 2025-12-30 2025 | Teycir/BurpAPISecuritySuite: Burp Suite extension for API security testing with 15 attack types, 108+ payloads, intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance. Supports REST/GraphQL/SOAP APIs with Nuclei, Turbo Intruder, and external tool integration. OWASP API Top 10 coverage. intermediate API Sec Burp Fuzzing | Library of Burp Suite extensions offering comprehensive API security testing, including 15 attack types and over 108 payloads. It features intelligent fuzzing, BOLA/IDOR detection, AI integration, and automated reconnaissance for REST, GraphQL, and SOAP APIs. The suite integrates with Nuclei, Turbo Intruder, and other external tools, providing broad coverage of OWASP API Top 10 vulnerabilities and advanced techniques like differential analysis and token lineage tracking. |
| 2025-11-24 2025 | A Terminal client for HTTP/GraphQL/gRPC with support for SSH tunnels, WebSockets, SSE, workflows, profiling, OpenAPI and response diffs. beginner | #golang https://t.co/sDSO3DWkkl |
| 2025-08-14 2025 | Mastering the Realm of GraphQL Exploitation advanced | The content is titled "Mastering the Realm of GraphQL Exploitation" and appears to focus on the topic of exploiting GraphQL. It suggests a deep dive into understanding and potentially exploiting GraphQL, a query language for APIs. The title implies that the content may cover advanced techniques or strategies for manipulating GraphQL queries to gain unauthorized access or extract sensitive information. → infosecwriteups.com |
| 2025-08-14 2025 | GraphQL - Security Overview and Testing Tips · Doyensec's Blog beginner | Reference for GraphQL security testing, this article highlights common vulnerabilities like Broken Access Controls, Insecure Direct Object References, and SQL/NoSQL Injections. It recommends tools such as `graphql-ide` and a custom Python script (`GraphQL_Introspection.py`) for enumerating schemas. The text details testing tips for identifying exposed endpoints, such as `/graphql` or `/graphql.php?debug=1`, and emphasizes the need for developers to implement robust authorization logic, as GraphQL itself does not inherently secure data. It also discusses the risks of nested queries leading to DoS attacks and information disclosure through error messages. → blog.doyensec.com |
| 2025-08-14 2025 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for intermediate CSRF | The content appears to be about a security vulnerability related to Facebook's GraphQL technology, specifically concerning Cross-Site Request Forgery (CSRF) attacks. The title suggests that access tokens may be involved in this vulnerability. It seems to warn users or developers that the access tokens they are using may not be secure or may be compromised in some way. The phrase "These aren't the access_tokens you're looking for" implies that there may be deceptive or unauthorized access tokens being used in this context. |
| 2025-08-14 2025 | https://github.com/gsmith257-cyber/GraphCrawler beginner | Tool for automated GraphQL endpoint security testing. GraphCrawler integrates with Escape Technology's Graphinder for endpoint discovery and can utilize Clairvoyance to brute-force schemas when introspection is disabled. It checks for enabled mutations, sensitive queries, and authentication requirements, scoring findings from 1-10. The tool also supports graphql-path-enum for deeper schema exploration. |
| 2025-08-14 2025 | https://blog.assetnote.io/2021/08/29/exploiting-graphql/ intermediate API Sec | Tool for auditing GraphQL APIs, BatchQL, identifies introspection query support, schema suggestions, CSRF vulnerabilities, and JSON/query name based batching. It aids in recovering GraphQL schemas using tools like Clairvoyance and Clairvoyancex, and can detect potential CSRF by sending GET and POST requests. BatchQL enables batching attacks, such as attempting all possible password reset PINs in a single query, bypassing rate limiting. |
| 2025-08-14 2025 | GraphQL introspection leads to sensitive data disclosure. intermediate | GraphQL introspection can potentially lead to the disclosure of sensitive data. Introspection allows clients to query the schema and understand the structure of the API, which can inadvertently expose sensitive information. It is important for developers to carefully manage introspection capabilities to prevent unauthorized access to confidential data. |
| 2025-08-14 2025 | GraphQL Introspection leads to Sensitive Data Disclosure. intermediate | GraphQL Introspection can potentially lead to the disclosure of sensitive data. This feature allows clients to query the schema of a GraphQL API, potentially exposing information that should be kept private. It is essential for developers to be cautious when using GraphQL Introspection to prevent unintentional disclosure of sensitive data. |
| 2025-08-14 2025 | [TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUEST intermediate | The content mentions a potential security vulnerability on the Tokopedia website related to Cross-Site Request Forgery (CSRF) through GraphQL requests. This vulnerability could allow attackers to perform unauthorized actions on behalf of users. It highlights the importance of addressing and fixing such vulnerabilities to ensure the security of the website and protect user data. |
| 2025-08-14 2025 | swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a intermediate | Tool for pentesting GraphQL endpoints, GraphQLmap offers a scripting engine to interact with APIs. It supports schema dumping, query execution for both queries and mutations, and fuzzing capabilities using placeholders like `GRAPHQL_CHARSET`, `GRAPHQL_INCREMENT`, `BATCHING_PLACEHOLDER`, and `BLIND_PLACEHOLDER`. It also includes functions for detecting SQL injection vulnerabilities like `nosqli`, `postgresqli`, and `mysqli`. |
| 2025-08-14 2025 | br3akp0int/GQLParser: A repository for GraphQL Extension for Burp Suite intermediate | Extension for Burp Suite that automatically detects and parses GraphQL requests, presenting dynamic user input parameters in a structured format for easier payload injection. This tool simplifies the process of tampering with GraphQL queries by allowing testers to edit queries directly within Burp Suite and send them to Repeater for further analysis and vulnerability testing. It aims to integrate with Burp's Scanner to facilitate integer scanning and optimize the scanner for reduced bad requests, with ongoing development for core GraphQL vulnerability scanning. |
| 2025-08-14 2025 | doyensec/graph-ql: GraphQL Security Research Material beginner | Tool for GraphQL security testing; InQL scans endpoints, auto-generates queries, and analyzes for vulnerabilities like circular references. It integrates with Burp for enhanced request manipulation and allows custom headers per domain. InQL also supports batch query execution for rate limit circumvention and engine fingerprinting, even when introspection is disabled, using regex pattern matching. |
| 2025-02-01 2025 | GraphQL - HackTricks beginner | Library for understanding GraphQL security vulnerabilities. It details how GraphQL's efficiency in data fetching can introduce security risks if authentication is not properly implemented. The library covers common paths for discovering GraphQL endpoints, using tools like graphw00f, and leveraging introspection with queries like `query { __typename }` and `query { __schema { types { name, fields { name } } } }` to enumerate schema information and extract data. |
| 2024-10-17 2024 | 👩💻Roadmap to Cybersecurity in 2022, Full-Read SSRF, IDOR in GraphQL, GCP Pentesting, and much… intermediate SSRF | The content discusses a talk focusing on cybersecurity in 2022, covering topics such as SSRF, IDOR in GraphQL, GCP Pentesting, and more. The talk highlights the significant value, over $25 billion, that is at risk due to practical attacks on bridges. It emphasizes the importance of understanding and addressing vulnerabilities in cybersecurity to protect valuable assets. → infosecwriteups.com |
| 2024-09-14 2024 | Mastering GraphQL API Pentesting: The Ultimate Resource Guide beginner Bug Bounty | Hello! I’m Raunak Gupta, a Security Researcher, Bug Bounty Hunter, and Computer Science student from India. Today, I’m excited to share all… |
| 2023-10-05 2023 | Mastering the Realm of GraphQL Exploitation advanced | The content titled "Mastering the Realm of GraphQL Exploitation" likely delves into advanced techniques for exploiting vulnerabilities in GraphQL implementations. It may cover topics such as security risks, common attack vectors, and strategies for securing GraphQL APIs. The content is likely aimed at individuals looking to deepen their understanding of GraphQL security and improve their ability to identify and mitigate potential exploits in GraphQL applications. |
| 2023-05-29 2023 | Slides: GraphQL Hacking beginner Talks | Slides: GraphQL Hacking https://ift.tt/oLqt1GD |
| 2022-05-11 2022 | Favorite tweet by @harshbothra_ beginner | Favorite tweet: 7 Free Practice Labs to Master GraphQL Attacks 🧵 — Harsh Bothra (@harshbothra_) May 11, 2022 |
| 2022-01-08 2022 | Damn Vulnerable GraphQL Application beginner API Sec | Library for practicing GraphQL security, DVGA is an intentionally vulnerable implementation designed to teach and test for various flaws including Injections, Code Executions, Bypasses, and Denial of Service attacks. It offers Beginner and Expert modes and covers exploitation techniques such as Batch Query, Deep Recursion, and Authorization Bypass. DVGA supports common installation via Git or Docker and requires Python3, Flask, and Graphene. |
| 2021-09-06 2021 | Exploiting GraphQL news | Tool for auditing GraphQL endpoints. BatchQL identifies introspection query support, schema suggestions, potential CSRF, query name based batching, and JSON list based batching. It can perform batch queries and mutations, potentially bypassing rate limiting for sensitive functionalities like password resets. The tool also aids in discovering GraphQL schemas, a crucial step for understanding the attack surface. |
| 2020-02-25 2020 | doyensec/graph-ql: GraphQL Security Research Material intermediate | Tool for GraphQL security testing, InQL offers a Scanner to auto-generate queries and mutations, a Points of Interest analysis for vulnerability detection, and circular reference detection. It seamlessly integrates with Burp for enhanced interactions, supports custom headers, and allows batch GraphQL attacks. InQL also includes an engine fingerprinting scanner to retrieve backend server technology information and can recreate schemas even when introspection is disabled. |
| 2020-01-19 2020 | Facebook GraphQL CSRF – These aren't the access_tokens you're looking for intermediate CSRF | A CSRF bug in business.instagram.com allowed unauthorized GraphQL calls. The bug was discovered in the View the Assigned Roles and Emails of an Instagram Account feature. Users without an Instagram Business account encountered an error page during login. This issue highlights a potential security vulnerability in Facebook's GraphQL system. |
| 2020-01-19 2020 | [TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUEST intermediate | The content mentions a vulnerability in the Tokopedia website related to Cross-Site Request Forgery (CSRF) through GraphQL requests. This vulnerability could potentially allow attackers to perform unauthorized actions on behalf of users on the Tokopedia site. It highlights the importance of addressing and fixing such security flaws to protect user data and prevent malicious activities. |
| 2020-01-13 2020 | GraphQL IDOR leads to information disclosure - Eshan Singh - Medium intermediate IDOR | Eshan Singh, also known as R0X4R, discusses a recent discovery of an Insecure Direct Object Reference (IDOR) vulnerability in GraphQL that led to information disclosure. The article likely delves into the impact and implications of this vulnerability in GraphQL systems. |
Frequently Asked Questions
- How is GraphQL security different from REST?
- GraphQL consolidates all operations behind a single endpoint, making traditional API enumeration ineffective. Unique risks include schema introspection exposure, deeply nested query denial-of-service, batch query abuse to bypass rate limiting, and field-level authorization gaps in resolvers.
- Should you disable GraphQL introspection in production?
- Yes, disabling introspection in production is a recommended security practice. It prevents attackers from mapping your entire schema, including types, fields, and relationships. However, schema details can still leak through error messages, autocomplete, and field suggestion features.
- What tools are used to test GraphQL security?
- Common tools include GraphQL Voyager for schema visualization, InQL for Burp Suite integration, graphql-cop for automated security testing, and Clairvoyance for schema reconstruction when introspection is disabled. Manual testing with crafted queries remains essential.
Weekly AppSec Digest
Get new resources delivered every Monday.