Over the past few months I've been researching GraphQL security and attack surfaces, particularly patterns that show up in bug bounty reports and real-world APIs.
I wrote a deep dive covering three issues that frequently appear in GraphQL implementations:
• Schema enumeration – discovering hidden fields and operations even when introspection is disabled
• Batch abuse – abusing batched queries for large-scale enumeration
• Resolver explosions – crafting queries that trigger exponential resolver execution and potential DoS
The article explains how these attacks work and why they often bypass naive defenses.
Would be interested in hearing how teams here approach securing GraphQL APIs in production.
Top comments (1)
This research led to the development of gqls, a GraphQL security scanner. : github.com/omkoli/GQLS-CLI