TL;DR
- ✓GraphQL hides an entire schema behind one endpoint, so testing starts with introspection or schema recovery.
- ✓The same OWASP API risks apply: BOLA, BFLA, and mass assignment are common, just expressed through queries and mutations.
- ✓GraphQL adds its own DoS surface: deeply nested queries, batching, and aliasing can exhaust the server or bypass rate limits.
- ✓Core tooling: graphw00f to fingerprint, InQL to parse introspection, Clairvoyance to recover a disabled schema.
GraphQL security testing is the assessment of a single GraphQL endpoint for authorization, injection, and denial-of-service flaws expressed through queries and mutations. Because one URL (usually /graphql) fronts the entire data model, the first job is always to recover the schema, and the second is to realize that the OWASP API Security Top 10 still applies, just in GraphQL's syntax.
This guide walks the full process: discovering the schema, testing authorization and mass assignment, abusing GraphQL-specific features like batching and aliasing for DoS and brute force, and the tools that make it practical. Example queries are included throughout.
What is GraphQL security testing?
GraphQL security testing is penetration testing adapted to GraphQL's single-endpoint, client-specified-query model. Instead of dozens of REST routes, you have one endpoint where the client decides exactly which fields and relationships to fetch, which shifts the attack surface toward the schema and the resolver logic behind it.
The discipline overlaps heavily with REST API penetration testing, but three things are unique:
- The schema is the map. Recover it first, by introspection or inference.
- Authorization is per-field and per-resolver, so gaps hide in nested objects.
- Query structure itself is an attack vector: depth, aliasing, and batching.
Everything else (BOLA, mass assignment, injection) is the same risk you would test in REST, reached through a different request shape.
How do you discover a GraphQL schema?
You recover the schema first, ideally through introspection, and fall back to inference when introspection is disabled. The schema tells you every type, query, mutation, and field, which is the entire roadmap for the test.
Start with an introspection query:
POST /graphql HTTP/1.1
Content-Type: application/json
{ "query": "{ __schema { types { name fields { name } } queryType { name } mutationType { name } } }" }
If introspection returns the schema, load it into InQL (a Burp extension) to auto-generate queries. If it is disabled, use Clairvoyance, which reconstructs the schema by abusing the field-suggestion messages in GraphQL error responses ("Did you mean ..."). Run graphw00f first to fingerprint the engine (Apollo, Hasura, graphql-ruby), because each leaks differently and has different default protections.
GraphQL security testing checklist
Schema recovery
- ✓Fingerprint engine with graphw00f
- ✓Run introspection query
- ✓Recover disabled schema with Clairvoyance
- ✓Parse and build queries with InQL
Authorization
- ✓BOLA: pass other users' IDs to queries
- ✓Nested-object authorization gaps
- ✓BFLA: invoke admin-only mutations
GraphQL-specific
- ✓Deeply nested query DoS / cost limits
- ✓Aliasing to bypass rate limits
- ✓Batching abuse on login/OTP
- ✓Mass assignment via mutation inputs
- ✓Introspection enabled in production
How do you test authorization in GraphQL?
You test authorization per field and per object, because GraphQL enforces access in resolvers that are easy to forget. BOLA and BFLA are just as common here as in REST; they simply appear inside a query argument or a mutation.
A BOLA in GraphQL looks like passing another user's ID into a query:
POST /graphql
{ "query": "{ user(id: 1052) { email phone ssn } }" }
, - if your token returns user 1052's data, that's a BOLA
Then test nested authorization: a query you are allowed to run may expose a related object you are not, for example { order(id: 9) { customer { email } } } where order is checked but customer is not. For BFLA, call admin-only mutations like mutation { deleteUser(id: 1052) } with a low-privilege token. This per-resolver gap is the most common serious GraphQL finding, mirroring what we cover in the API pentest checklist.
What GraphQL-specific attacks should you test?
Beyond the standard API risks, GraphQL has a native attack surface in query structure: depth, batching, and aliasing. These enable denial of service and rate-limit bypass that REST does not expose.
- Deeply nested queries (DoS): if types reference each other, you can nest a query that explodes the resolver tree, for example
{ author { posts { author { posts { ... } } } } }. Confirm whether query-depth and cost limits exist. - Aliasing for brute force: one request can fire hundreds of operations using aliases, bypassing per-request rate limits:
{ a: login(pw:"1"){token} b: login(pw:"2"){token} ... }. - Batching: many GraphQL servers accept an array of operations in one HTTP request, again sidestepping rate limits on login or OTP.
- Mass assignment via mutations (BOPLA): pass input fields the client never shows, like
{ updateUser(input:{id:1, role:"ADMIN"}) { id } }. - Introspection in production: leaving it enabled is a misconfiguration that hands attackers the full map.
Strobes insight
Disabling introspection is not a security control. Clairvoyance reconstructs most schemas from error-message field suggestions, so you must still enforce authorization in every resolver.
How do you secure a GraphQL API?
You secure GraphQL by enforcing authorization in every resolver, limiting query cost, and disabling introspection in production. The fixes map directly to the attacks above, and most are configuration rather than code rewrites.
- Enforce object and field-level authorization in resolvers, not just at the top-level query.
- Apply query-depth limits, cost analysis, and timeouts to stop nested-query DoS.
- Cap or disable query batching and aliasing on sensitive operations like login.
- Allow-list input fields on mutations to block mass assignment.
- Disable introspection and field suggestions in production to slow schema recovery.
- Apply rate limits per operation, not just per HTTP request, so aliasing cannot bypass them.
Treat GraphQL as a first-class part of your API security program. For continuous coverage across REST and GraphQL together, see how agentic pentesting runs these checks on every deploy.
Frequently asked questions
Is GraphQL less secure than REST?
GraphQL is not inherently less secure, but it shifts and adds risk. The same authorization and injection bugs from REST apply, plus GraphQL-specific issues like query-depth DoS, aliasing, and batching that bypass naive rate limits. Its single-endpoint, client-specified-query model means authorization must be enforced per resolver, which is easy to get wrong.
What is a GraphQL introspection attack?
Introspection is a built-in feature that lets a client query the full schema, including every type, query, and mutation. When left enabled in production, it hands an attacker a complete map of the API. Even when disabled, tools like Clairvoyance can reconstruct much of the schema from error-message field suggestions.
How do you test for BOLA in GraphQL?
Find a query or mutation that takes an object ID as an argument, then supply an ID belonging to another user while authenticated as yourself. If the response returns that user's data, it is a BOLA. Also test nested objects: a permitted query may expose a related object whose resolver does not check authorization.
What is a GraphQL batching attack?
Many GraphQL servers accept multiple operations in one request, either as an array of queries or via aliases. An attacker uses this to run hundreds of operations (such as login attempts) in a single HTTP request, bypassing per-request rate limits and enabling brute force or enumeration at scale.
What tools are used for GraphQL security testing?
graphw00f fingerprints the GraphQL engine, InQL (a Burp extension) parses introspection and generates queries, Clairvoyance recovers schemas when introspection is disabled, and GraphQL Voyager visualizes the schema. Burp Suite or mitmproxy handle interception and replay.
How do you prevent GraphQL denial-of-service attacks?
Apply query-depth limits and cost analysis so deeply nested queries cannot explode the resolver tree, set per-operation timeouts, cap or disable batching and aliasing on sensitive operations, and rate-limit per operation rather than per HTTP request. Together these stop the nested-query and aliasing DoS vectors.
Sources and references
L
Likhil Chekuri
Application Security Engineer, Strobes
Likhil Chekuri is an AppSec engineer at Strobes who has run hundreds of web, mobile, and cloud penetration tests for regulated industries.
