Overview
Scouring the open internet, we can find various tools which perform security audits against GraphQL APIs. One of such interesting tools is graphql-cop. GraphQLer can implement some of the checks seen in graphql-cop per request.
Deliverables
In the README of graphql-cop:
- Alias Overloading (DoS)
- Batch Queries (DoS)
- GET based Queries (CSRF)
- POST based Queries using urlencoded payloads (CSRF)
- GraphQL Tracing / Debug Modes (Info Leak)
- Field Duplication (DoS)
- Field Suggestions (Info Leak)
- GraphiQL (Info Leak)
- Introspection (Info Leak)
- Directives Overloading (DoS)
- Circular Query using Introspection (DoS)
- Mutation support over GET methods (CSRF)
Implement each of these for every request sent
Overview
Scouring the open internet, we can find various tools which perform security audits against GraphQL APIs. One of such interesting tools is graphql-cop. GraphQLer can implement some of the checks seen in graphql-cop per request.
Deliverables
In the README of graphql-cop:
Implement each of these for every request sent