Graphql

Comprehensive GraphQL Security Guide A practitioner’s reference for attacking and defending GraphQL APIs — discovery, introspection, schema recovery, injection, authorization flaws, batching, DoS, subscriptions, CSRF/CSWSH, engine-specific quirks, and detection/prevention. Compiled from 31 research sources. Table of Contents Fundamentals Discovery & Fingerprinting Introspection Schema Recovery Without Introspection Query & Data Extraction Mutations & Mass Assignment Authorization Flaws (BOLA / BFLA / IDOR) Injection Through GraphQL Batching Attacks & Aliases Denial of Service CSRF & CSWSH Subscriptions & WebSockets Engine-Specific Notes (Apollo, Hasura, graphql-java, async-graphql, Mercurius) Notable CVEs & Real-World Chains Tooling Detection & Prevention Payload Quick Reference 1. Fundamentals GraphQL is a query language and server runtime for APIs, originally developed at Facebook and open-sourced in 2015. Instead of the multiple fixed endpoints of a REST API, a GraphQL service exposes a single endpoint that accepts typed queries and returns exactly the fields the client asks for. ...