escape.tech
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Avoid GraphQL Denial-of-Service Attacks through Batching and AliasingGraphQL | Library for securing GraphQL APIs, addressing denial-of-service (DoS) attacks and credential brute-forcing enabled by batching and aliases. Batch attacks bypass traditional rate limiting by executing numerous operations within a single API call, overwhelming servers and facilitating unauthorized access. This library, including the open-source GraphQL Armor plugin and a specialized scanner, helps identify and mitigate these vulnerabilities by enforcing query validation and limiting alias usage. |
| 2026-04-22 2026 | GraphQL IDOR Vulnerabilities: What They Are and How to FixIDOR | Library focusing on preventing Insecure Direct Object References (IDOR) in GraphQL APIs. It details how IDOR vulnerabilities arise from improper validation of object identifiers, allowing unauthorized data access. The resource highlights real-world examples like vulnerabilities in PayPal, Vimeo, and Shopify, and provides practical advice on implementing strong authentication and strict authorization checks within GraphQL resolvers to mitigate these risks. |
| 2026-04-19 2026 | GraphQL Introspection Security: Lessons from the Parse Server VulnerabilityGraphQL | Reference on GraphQL introspection security, lessons learned from CVE-2025-53364 in Parse Server, highlights that disabling introspection is not a comprehensive solution. The vulnerability allowed public schema access, aiding targeted attacks. Secure introspection through authentication and RBAC, avoiding public exposure. While useful for development and public APIs, introspection can be bypassed via field suggestion or traffic analysis. Consider disabling it for private APIs if not needed, but otherwise focus on controlled access and automated testing with tools like Escape. |
| 2026-04-17 2026 | GraphQL Security: 9 Best Practices to Protect Your API (Escape)GraphQL | Library for protecting GraphQL APIs from common vulnerabilities. It details techniques for disabling introspection, implementing robust authorization and authentication at the resolver level, and mitigating denial-of-service attacks through query whitelisting, depth limiting, and complexity analysis. Examples include using Apollo Server with `introspection: process.env.NODE_ENV !== 'production'`, implementing `authMiddleware`, and utilizing libraries like `graphql-depth-limit`. |
| 2026-04-17 2026 | Cyclic Queries and Depth Limiting (Escape)GraphQL | Library for mitigating denial-of-service attacks against GraphQL APIs by limiting query depth and execution time. It details how malicious queries can exploit cyclic relationships in graph databases, leading to performance degradation and resource exhaustion. The library, through tools like `graphql-depth-limit` for Apollo, Express GraphQL, and GraphQL Node, and configuration options for Hasura Cloud and Graphene, enables developers to set maximum query depths and timeouts, ensuring application stability while maintaining usability. |
| 2026-04-16 2026 | GraphQL Discovery: Pentesting 101 GuideGraphQL | Guide on GraphQL discovery for penetration testing, this installment of the "Pentesting GraphQL 101" series details techniques for understanding endpoint limits, determining verbosity, and fetching API schema information through methods like basic queries, mutation checks for CSRF, aliasing, and character limits. It highlights the importance of query timing and error analysis, recommending tools like Altair for interaction and leveraging introspection or "did you mean" suggestions for schema discovery, referencing the `awesome-graphql-security` list for resources. |