Api-Security

Comprehensive GraphQL Security Guide A practitioner’s reference for attacking and defending GraphQL APIs — discovery, introspection, schema recovery, injection, authorization flaws, batching, DoS, subscriptions, CSRF/CSWSH, engine-specific quirks, and detection/prevention. Compiled from 31 research sources. Table of Contents Fundamentals Discovery & Fingerprinting Introspection Schema Recovery Without Introspection Query & Data Extraction Mutations & Mass Assignment Authorization Flaws (BOLA / BFLA / IDOR) Injection Through GraphQL Batching Attacks & Aliases Denial of Service CSRF & CSWSH Subscriptions & WebSockets Engine-Specific Notes (Apollo, Hasura, graphql-java, async-graphql, Mercurius) Notable CVEs & Real-World Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals GraphQL is a query language and server runtime for APIs, originally developed at Facebook and open-sourced in 2015. Instead of the multiple fixed endpoints of a REST API, a GraphQL service exposes a single endpoint that accepts typed queries and returns exactly the fields the client asks for. ...

Comprehensive API Security Guide A practitioner’s reference for API security — attack surface, OWASP API Top 10 exploitation, authentication and authorization bypasses, GraphQL-specific attacks, rate limit evasion, API gateway hardening, open banking compliance, AI/MCP risks, real-world chains, and detection/prevention. Compiled from 49 research sources. Table of Contents Fundamentals API Styles: REST vs GraphQL vs gRPC vs SOAP API Recon & Attack Surface Discovery OWASP API Security Top 10 (2023) OWASP Web Top 10 (2025) — API Implications BOLA / IDOR Deep Dive Broken Authentication & Token Attacks BOPLA: Mass Assignment & Excessive Data Exposure Broken Function Level Authorization (BFLA) Unrestricted Resource Consumption & Rate Limit Bypasses Business Flow Abuse SSRF in APIs Security Misconfiguration & Improper Inventory API Gateway Security Unsafe Consumption of Third-Party APIs GraphQL-Specific Attacks JWT & OAuth 2.0 Exploitation Injection in APIs HTTP Request Smuggling in API Gateways API Key & Secret Leak Detection AI, MCP & Agentic API Risks Open Banking & E-Commerce API Security Real-World CVEs & Breach Chains Tools & Automation Detection & Prevention Testing Checklist 1. Fundamentals APIs now account for ~83% of web traffic and over 71% of all web requests. The average cost of an API breach is $4.88M (T-Mobile 2023, 37M users affected). API attacks increased 10-13x in 2025 (Indusface), 57% of organizations experienced at least one API-related data breach in the past two years (Traceable AI), and 97% of API vulnerabilities can be exploited with a single request (Wallarm 2026). Unlike traditional web apps, APIs expose more endpoints, lack a constraining UI, and are often protected by weaker compensating controls because developers assume machine-to-machine trust. ...