API50 items

GraphQL API Pentest Checklist

A targeted checklist for GraphQL endpoints that goes beyond REST-style API testing. Covers introspection, schema-aware authorization tests, alias and batched-query abuse, and resolver-layer injection.

Mapped to the OWASP API Top 10 (2023), OWASP WSTG, and the GraphQL Foundation security guidance.

OWASP API Top 10 (2023)OWASP WSTGGraphQL Foundation Spec

Progress: 0 of 50 items

Discover the GraphQL endpoint(s) in scopeinfo

Common paths: /graphql, /api/graphql, /v1/graphql, /graphiql, /playground, /altair. Confirm whether multiple endpoints serve different roles (public vs admin).

Commands

ffuf -w paths.txt -u https://target/FUZZ -mc 200,400 -t 50

graphw00f -t https://target/graphql -d

References

graphw00f - GraphQL fingerprinter

Confirm whether introspection is enabled in the test environmentinfo

A `__schema` probe is the cheapest discovery tool. Note whether introspection is on globally, on for staging only, or off (then plan for graphql-clairvoyance).

Commands

curl -sX POST https://target/graphql -H "Content-Type: application/json" -d '{"query":"{__schema{queryType{name}}}"}'

Document scoping nuances (depth limits, mutation allow-lists)info

GraphQL pentest scope often excludes recursive depth bombs or destructive mutations. Get the exclusion list in writing before fuzzing.

Identify the GraphQL server implementation and versionlow

Apollo, graphql-yoga, Hasura, Hot Chocolate, graphene, etc. each have distinct default behaviours and CVEs. graphw00f outputs implementation fingerprints.

Commands

graphw00f -t https://target/graphql -f

Capture authentication mechanism (cookie, bearer, API key)info

Some servers accept the same query unauthenticated and reveal more types when auth is supplied. Test both paths and note the diff.

Identify all client roles and obtain test credentials per rolehigh

Field-level authorization can only be tested if you have at least two roles. Request anonymous, normal-user, and privileged-user credentials.

Set up an interception proxy with GraphQL awarenessinfo

Use Burp Suite with the InQL extension or Caido GraphQL plug-in to render queries human-readably and to send tampered queries quickly.

References

InQL - Burp Suite GraphQL extension

Establish a baseline query catalogue from client trafficinfo

Capture all GET/POST queries the legit client sends. This is your starting corpus for tampering and the baseline for diffing later.

Confirm whether GET-based queries are acceptedmedium

GraphQL-over-GET enables CSRF and cache-poisoning attack surface. Note whether query, variables, and operationName are accepted via query string.

Reference the OWASP GraphQL Cheat Sheet for known abuse patternsinfo

OWASP maintains a current cheat sheet of GraphQL-specific risks - load it into your notes so nothing standard slips by.

References

OWASP GraphQL Cheat Sheet
PortSwigger Web Security Academy - GraphQL

Run a full introspection query and dump the schemamedium

If introspection is enabled, capture the full schema via the canonical introspection query. This is the map for every later test.

Commands

gql-cli https://target/graphql --print-schema > schema.graphql

apollo-cli schema:download --endpoint https://target/graphql schema.json

Evidence to capture

schema.graphql artefact attached to the report

References

GraphQL Spec - Introspection

When introspection is disabled, run schema-clairvoyancemedium

clairvoyance reconstructs schemas by fuzzing field names against error messages. Slow but effective on production where introspection is locked.

Commands

clairvoyance --target https://target/graphql -w wordlist.txt -o schema.json

References

clairvoyance - GraphQL schema discovery

Diff staging vs production schemas for leaked dev fieldshigh

Internal-only fields often survive into production schemas. Fields named *_internal, debug*, admin* are high-signal.

Enumerate suggested fields via "did you mean" hintsmedium

Most servers (Apollo, graphene) leak field-name suggestions on typos. Drive a wordlist through field-name slots and harvest suggestions.

Identify mutations vs queries and tag side-effecting operationshigh

Mutations are the high-value targets - both for BOLA testing and for destructive bugs. List them, assess privilege required, and note side effects.

Build a deeply-nested query that exercises connection edgeshigh

Chase user.posts.comments.author.posts... down 6+ levels. Real PII often hides in transitively-loaded edges that the front-end never asks for.

Test recursive query depth and query-cost limitshigh

Send a query of progressively deeper recursion (or fragment-cycle) until it errors. The threshold tells you the resource-DoS budget.

Identify custom scalars (URL, JSON, Upload) that may hide attackshigh

Custom scalars are typed `String` server-side. Any URL/JSON-typed scalar is a candidate for SSRF, prototype pollution, or path traversal.

Cheat sheet · /cheat-sheets/ssrf

Map every input type to the underlying database modelmedium

GraphQL hides ORM behaviour. Use error messages, response shape, and sometimes intentional type errors to infer Postgres/Mongo/Elastic backends.

Check whether the server exposes /graphiql, /playground, /voyagermedium

These developer UIs sometimes survive into production with introspection enabled and CSRF-relaxed CORS, expanding attack surface considerably.

Test BOLA on every read field that takes an IDcritical

OWASP API1. Substitute another tenant`s record IDs into queries. Particularly effective via fragments where the tested field is several levels deep.

References

OWASP API1: Broken Object-Level Authorization

Test BOLA across mutations (the higher-impact half)critical

Mutations like deletePost(id), updateUser(id, ...), transferFunds(from, to) - confirm authorization is checked on every mutable target ID.

Probe field-level authorization on returned objectscritical

Common bug: object-level auth passes but a sensitive field on the object (`creditCard`, `ssn`, `internalNotes`) is exposed regardless of role.

Test transitive authorization via nested edgescritical

You may not be authorized to read User(id=42) directly, but Post(id=mine).author may resolve User(42) without re-checking.

Verify that role-restricted mutations are not exposed to lower rolescritical

Some implementations enforce role checks only in resolvers, not in schema directives. Send the mutation as a basic user and observe.

Test SSRF via URL-typed inputs (avatar, webhook, importFromUrl)critical

Anywhere a mutation accepts a URL, probe with internal IPs, cloud metadata endpoints, and DNS-rebinding bait.

References

Vulnsy SSRF Cheat Sheet

Cheat sheet · /cheat-sheets/ssrf

Test for IDOR in pagination cursorshigh

Opaque base64 cursors often decode to predictable IDs or "afterId=N". Replay another tenant`s cursor against the query.

Verify CSRF defences for mutations served over POST/JSON and GEThigh

GraphQL-over-GET enables classic CSRF. POST + JSON only is generally safe, but CORS misconfig or text/plain content type defeats that.

Test JWT / session-token swap on persisted querieshigh

Persisted queries by hash skip parsing. Confirm the auth check still runs when the query is served from the persisted-query cache.

Probe directive bypasses (@skip, @include, @defer)medium

Crafted @skip/@include conditions can sometimes elide authorization directives, or reorder execution to read protected fields.

Test SQL injection in resolver-mapped string argumentscritical

Raw-string filters (`where`, `orderBy`, `q`) are the primary SQLi vector. Use sqlmap with the JSON variables and watch boolean / time-based behaviour.

Commands

sqlmap -u "https://target/graphql" --method POST --data '{"query":"query($q:String!){search(q:$q){id}}","variables":{"q":"*"}}' --batch --level 5

References

Vulnsy SQL Injection Cheat Sheet

Cheat sheet · /cheat-sheets/sql-injection

Test NoSQL injection in resolvers backed by Mongo / Elasticcritical

Filters that accept JSON-shaped objects can be bent into $ne, $gt, $regex queries to bypass auth or dump records.

Cheat sheet · /cheat-sheets/sql-injection

Run alias-based brute-force attackscritical

GraphQL aliases let one HTTP request fire 1000 login attempts as alias_1: login(...) ... alias_1000: login(...). Bypasses naive rate limits.

Commands

cat alias-bruteforce.json | curl -sX POST -H "Content-Type: application/json" -d @- https://target/graphql

References

PortSwigger - Bypassing rate-limit via aliases

Run batched-query abuse (array of operations)high

Apollo/Yoga support `[ {query: ...}, {query: ...} ]`. Same effect as aliases for rate-limit bypass and useful when aliases are filtered.

Test query-cost / depth-bomb DoShigh

Build a recursive fragment cycle or 1000-edge query and confirm whether the server enforces cost analysis or depth limits.

References

OWASP API4: Unrestricted Resource Consumption

Test field-duplication amplificationhigh

`{ user { id id id id ... id } }` repeated thousands of times can amplify response size massively without triggering depth checks.

Probe Server-Side Template Injection in resolvers that render stringshigh

GraphQL servers in Node.js sometimes feed scalar inputs into ejs/handlebars templates. Standard SSTI payloads still apply.

Test command injection in resolvers that shell outcritical

Filename or URL-typed scalars sometimes feed `exec(...)` for thumbnails or file conversion. Probe with backticks, $(id), and ;.

Test XXE / SSRF via file-upload mutationscritical

GraphQL multipart spec uploads (Apollo) can carry XML/SVG/PDF that triggers XXE or SSRF on parse. Provide each MIME type and watch back-channels.

Verify error-message hygiene for sensitive leakagemedium

Stack traces, ORM query strings, internal hostnames - GraphQL errors are notoriously verbose. Trigger errors in every resolver class and review.

Produce a schema diff against the documented "public" schemainfo

Show what fields, mutations, and types are reachable but undocumented. Often the highest-impact section for stakeholders.

Map findings to OWASP API Top 10 (2023) per-iteminfo

API1/API3/API4 are the workhorses of GraphQL findings. Tag each result so risk-owners can dedupe across REST and GraphQL reports.

References

OWASP API Top 10 (2023)

Present the abuse-class taxonomy (alias, batch, cost, depth)info

Most teams know SQLi but not GraphQL-specific abuse classes. A short taxonomy with examples accelerates remediation.

Recommend introspection / GraphiQL posture for productionmedium

Generally: introspection off in prod, on in staging behind auth; GraphiQL/Playground off in prod outright.

Recommend cost-analysis / depth-limit middlewarehigh

Reference graphql-cost-analysis, graphql-depth-limit, Apollo`s built-in plugins, and document tuned thresholds based on test data.

References

graphql-cost-analysis

Recommend persisted queries / allow-listed operationshigh

Highest-leverage long-term fix. Limits the public API surface to a known set of hashes - kills most introspection-driven attacks.

Document any rate-limit bypass via aliases / batchinghigh

Specifically callout how counts changed (1 HTTP request -> 1000 logical operations) so the AppSec team can fix at the right layer.

Recommend per-resolver authorization (not just schema directives)medium

Schema directives are easy to bypass via fragments and persisted queries. Authorization should ultimately live in the resolver layer.

Provide replay artefacts (curl + gql variables) for every findinginfo

GraphQL findings reproduce poorly without the exact body. Attach the request payload as a curl one-liner and as a gql-cli command.

Schedule a regression test against the schema diff post-fixinfo

GraphQL schemas change weekly. A frozen-time pentest decays fast - bake a post-fix re-test (or schema-diff CI gate) into the SoW.

GraphQL API Pentest Checklist

Pre-Engagement

Schema Discovery & Introspection

Authorization Testing

Injection & Abuse Vectors

Reporting

Report Vulnerabilities Faster with Vulnsy