This Cheat Sheet provides guidance on the various areas that need to be considered when working with GraphQL:

• Apply proper input validation checks on all incoming data. Expensive queries will lead to Denial of Service (DoS), so add checks to limit or prevent queries that are too expensive.
• Ensure that the API has proper access control checks.
• Disable insecure default configurations (e.g. introspection, GraphiQL, excessive errors, etc.).

Common Attacks

• Injection - this usually includes but is not limited to: SQL and NoSQL injection
• OS Command injection
• SSRF and CRLF injection/Request Smuggling
• DoS (Denial of Service)
• Abuse of broken authorization: either improper or excessive access, including IDOR
• Batching Attacks, a GraphQL-specific method of brute force attack
• Abuse of insecure default configurations

About the OWASP Foundation

OWASP is a nonprofit foundation that works to improve the security of software.