TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us here.
GraphQL, a query language for your API and a server-side runtime for executing those queries, is rapidly becoming a prevalent technology in modern web applications. This technology, developed by Facebook in 2012 and released as an open-source project in 2015, provides a more efficient and flexible way to query data than traditional REST APIs.

In this series we will look to understand GraphQL and the attacks we can perform against it. If you’re interested in the official documentation, you can find out more about GraphQL here.

Introduction to GraphQL

GraphQL offers clients the power to ask for exactly what they need and nothing more. This leads to reduced amounts of data traveling over the network, as well as more agile front-end development since developers can adapt the data returned without backend changes.

The strength of GraphQL lies in its flexibility; a single endpoint can handle a multitude of different queries. However, more often than not, flexibility comes with the price of poor security.

Common Attacks on GraphQL

Vulnerabilities in GraphQL often arise from design and implementation flaws. The following are some of the more common attacks:

  1. Introspection Attacks: GraphQL provides an introspection system that allows users to ask what types are available. If not properly disabled or protected, malicious users can retrieve the entire schema.
  2. Denial of Service (DoS): Given its flexible query nature, an attacker can craft complex, nested queries that can lead to extensive resource consumption.
  3. Insecure Direct Object Reference (IDOR): This occurs when an application exposes internal objects by their database identifier without adequate authorization checks.
  4. Rate Limiting Bypass: Without adequate rate limiting, malicious actors can bombard the GraphQL endpoint with queries, leading to DoS.
  5. Missing Authorization: Lack of proper authorization checks can allow unauthorized access to sensitive data or unauthorized mutation of data.

Finding GraphQL Endpoints

Before we can exploiting a GraphQL service, we need to find endponits. Remember that GraphQL typically uses a single endpoint for all requests.

Universal Queries: By sending a query like query{__typename}, we can identify if an endpoint is a GraphQL service. This exploits the reserved field __typename in GraphQL that returns the type of queried object.

Common Endpoints: The following are the usual suspects for GraphQL endpoints:

  • /graphql
  • /api
  • /api/graphql
  • /graphql/api
  • /graphql/graphql

By appending common paths like /v1 or using different HTTP methods, we can further probe for hidden GraphQL endpoints.

Exploiting Unsanitized Arguments

For our first common attack, we will focus on exploiting unsanitized arguments. Imagine a social media platform where users can mark their posts as private. If an attacker knows the post ID, and if the platform doesn’t correctly sanitize the ‘visibility’ argument, they can view private posts.

Intended Query:

query {
  post(postID: 456) {
query {
  post(postID: 456, visibility: "public") {
By explicitly setting the visibility to “public”, the we can bypass checks on the post’s visibility status.

Wrapping up

GraphQL provides an efficient way to fetch and update data, but like all technologies, it requires security to be a concern. So that’s it for part 1 however, we will cover more complex attacks in the coming posts so stay tuned for more.

Penetration Testing – PCI Compliance – Auditing

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.


tel: (877) 771-8911 | email: info@tcm-sec.com