GraphQL Security: 10 Pentesting Findings You Should Know

GraphQL collapses dozens of REST endpoints into a single one. That is great for product velocity and terrible for traditional WAFs, rate limiters and per-route authorization.

Most security teams still treat /graphql like a single endpoint. Attackers treat it as hundreds of endpoints, each with its own auth and data exposure surface.

Even with introspection disabled in production, field suggestions (`Did you mean: adminEmail?`) leak the schema. Tools like clairvoyance and graphw00f reconstruct the entire schema in minutes.

Document a deliberate policy: introspection off in prod, suggestions off, error verbosity minimised, and a persisted-queries allowlist for first-party clients.

BOLA (Broken Object Level Authorization) is the #1 GraphQL finding we report. Resolvers that trust ID arguments without re-checking ownership on every nested edge are common.

Authorization belongs in the data layer, not the gateway. Use a per-field policy engine or check ownership in resolvers — never assume the parent resolver already validated.

A single 2KB query can fan out to millions of database rows via aliasing, deep nesting and circular fragments. Without depth limits, complexity scoring and per-operation timeouts, your API is one curl away from an outage.

We test with crafted queries, batch operations, and field duplication via aliases. Most teams discover their cost limits are advisory rather than enforced.

Variables passed to ORMs without parameterisation lead to NoSQL/SQL injection. Resolvers that fetch external URLs are SSRF vectors against the metadata service.

File-upload mutations are repeatedly mis-scoped — content-type whitelisting, magic-byte validation, and S3 prefix isolation are usually missing.

Disable introspection and suggestions in prod. Persist queries for trusted clients. Enforce depth/complexity/timeouts at the gateway. Re-check authz in every resolver. Log per-operation metrics, not per-endpoint.

Run a GraphQL-specific pentest at least annually and after every schema change touching auth or PII. Generic API testing misses most of these.