GraphQL Attacks

Introspection

GraphQL-Voyager

Burp Suite extention - InQL

DoS Attacks

Identify a loop between objects

Batching Attacks

Batching in GraphQL refers to executing multiple queries with a single request.

POST /graphql HTTP/1.1
Host: 172.17.0.2
Content-Length: 86
Content-Type: application/json

[
    {
        "query":"{user(username: \"admin\") {uuid}}"
    },
    {
        "query":"{post(id: 1) {title}}"
    }
]