Api-Security

Comprehensive GraphQL Security Guide

Comprehensive GraphQL Security Guide A practitioner’s reference for attacking and defending GraphQL APIs — discovery, introspection, schema recovery, injection, authorization flaws, batching, DoS, subscriptions, CSRF/CSWSH, engine-specific quirks, and detection/prevention. Compiled from 31 research sources. Table of Contents Fundamentals Discovery & Fingerprinting Introspection Schema Recovery Without Introspection Query & Data Extraction Mutations & Mass Assignment Authorization Flaws (BOLA / BFLA / IDOR) Injection Through GraphQL Batching Attacks & Aliases Denial of Service CSRF & CSWSH Subscriptions & WebSockets Engine-Specific Notes (Apollo, Hasura, graphql-java, async-graphql, Mercurius) Notable CVEs & Real-World Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals GraphQL is a query language and server runtime for APIs, originally developed at Facebook and open-sourced in 2015. Instead of the multiple fixed endpoints of a REST API, a GraphQL service exposes a single endpoint that accepts typed queries and returns exactly the fields the client asks for. ...

April 10, 2026 · 22 min · Carl Sampson

Comprehensive API Security Guide

Comprehensive API Security Guide A practitioner’s reference for API security — attack surface, OWASP API Top 10 exploitation, authentication and authorization bypasses, GraphQL-specific attacks, rate limit evasion, real-world chains, and detection/prevention. Compiled from 30 research sources. Table of Contents Fundamentals API Styles: REST vs GraphQL vs gRPC vs SOAP API Recon & Attack Surface Discovery OWASP API Security Top 10 (2023) BOLA / IDOR Deep Dive Broken Authentication & Token Attacks BOPLA: Mass Assignment & Excessive Data Exposure Broken Function Level Authorization (BFLA) Unrestricted Resource Consumption & Rate Limit Bypasses Business Flow Abuse SSRF in APIs Security Misconfiguration & Improper Inventory Unsafe Consumption of Third-Party APIs GraphQL-Specific Attacks JWT & OAuth 2.0 Exploitation Injection in APIs Real-World CVEs & Breach Chains Tools & Automation Detection & Prevention Testing Checklist 1. Fundamentals APIs now account for ~83% of web traffic. The average cost of an API breach is $4.88M (T-Mobile 2023, 37M users affected). Unlike traditional web apps, APIs expose more endpoints, lack a constraining UI, and are often protected by weaker compensating controls because developers assume machine-to-machine trust. ...

April 10, 2026 · 21 min · Carl Sampson