GraphQL Injection

GraphQL Injection refers to various attack vectors targeting GraphQL APIs, including query manipulation, injection through arguments, and exploiting the flexible query structure to access unauthorized data or cause denial of service.

Common Attack Vectors

Argument Injection

# If arguments are used in backend queries unsafely:
query {
  user(id: "1 OR 1=1") {
    email
    password
  }
}

# NoSQL injection in filters
query {
  users(filter: {email: {$regex: ".*"}}) {
    email
  }
}

Query Manipulation

# Accessing fields not intended for user
query {
  user(id: 1) {
    name
    email
    password      # Sensitive field
    isAdmin       # Authorization check bypass
  }
}

# Nested query amplification
query {
  posts {
    author {
      posts {
        author {
          # Deep nesting causes performance issues
        }
      }
    }
  }
}

Security Issues

• Lack of field-level authorization
• Excessive data exposure through introspection
• No depth/complexity limits on queries
• Batch query abuse
• Injection through dynamic resolvers

Prevention

• Implement field-level authorization
• Disable introspection in production
• Set query depth and complexity limits
• Use parameterized queries in resolvers
• Rate limit and monitor queries

See Also

• GraphQL Introspection
• GraphQL Batching Attack
• SQL Injection