GraphQL is a query language and runtime that lets clients fetch exactly the data they need from a single endpoint. Powerful β and the things that make it powerful (introspection, query flexibility, batching, nested resolvers) also create distinct security challenges that REST testers miss. This module covers GraphQL-specific attacks, defenses, and tooling.
GraphQL basics
- Single endpoint (typically
/graphql) - POST request body contains the query in GraphQL query language
- Server response contains exactly the requested fields, no more
- Schema defines available types, queries, mutations, subscriptions
- Resolvers fetch data for each field
Introspection β gift to attackers
GraphQL servers can expose their full schema via introspection queries:
# Standard introspection query
query IntrospectionQuery {
__schema {
types { name fields { name type { name } } }
queryType { name }
mutationType { name }
}
}
# In production: introspection should be DISABLED.
# In dev/staging: enabled is fine for tooling like GraphiQL.
If introspection is on in production, an attacker has your full API documentation in seconds. Tools like GraphQL Voyager visualize the schema. Test cases for hidden mutations like internalAdminPasswordReset become trivial.
InQL / GraphQL-Voyager / Altair
InQL is a Burp extension that auto-introspects and generates testing UI. Altair is a standalone GraphQL client. Both are essential for GraphQL pentesting.
Query depth and complexity attacks
GraphQL’s killer feature β nested queries β is also a DoS vector:
Continue reading with Basic tier (βΉ499/month)
You've read 29% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.