GraphQL Pentesting Methodology

Hitting a GraphQL endpoint is a different job to testing REST — no routes to enumerate, just one URL and a type system hiding behind it. The whole engagement turns on getting that schema out. The workflow that works: find the endpoint, pull the schema with introspection or rebuild it with Clairvoyance when it is locked, read it fast with InQL and Voyager, then turn the map into findings — broken object-level auth, and the batching and alias tricks that quietly demolish rate limits.