Wiki: GraphQL Attack Vectors

17.10.2025

wiki graphql security

TL;DR

Recon: find endpoints and enable introspection.
DoS: deep recursion, batching, aliases, and fragments.
AuthZ: field-level and object-level access checks.

Recon

Detect GraphQL

curl -X POST -H 'Content-Type: application/json' \
  -d '{"query":"{ __typename }"}' http://target/graphql

Introspection

query {
  __schema {
    types { name }
  }
}

DoS and Abuse Patterns

Batch queries and large alias sets.
Deep recursion on nested fields.
Circular fragments.

Example:

query {
  alias1: expensiveField
  alias2: expensiveField
}

Info Disclosure

Introspection enabled in prod.
Verbose errors and stack traces.
Field suggestions reveal schema.

Injection

SQL/NoSQL injection inside resolver parameters.
HTML or log injection from unescaped fields.

AuthZ Bypass

Accessing fields that are hidden in the UI.
Mutations that allow role or ownership changes.

Notes

Always test with low-privileged tokens.
Keep payload sizes small to avoid accidental DoS.