GraphQL OWASP Cheat Sheet

About GraphQL OWASP Cheat Sheet

This Cheat Sheet provides guidance on the various areas that need to be considered when working with GraphQL:

  • Apply proper input validation checks on all incoming data. Expensive queries will lead to Denial of Service (DoS), so add checks to limit or prevent queries that are too expensive.
  • Ensure that the API has proper access control checks.
  • Disable insecure default configurations (e.g. introspection, GraphiQL, excessive errors, etc.).

Common Attacks

  • Injection - this usually includes but is not limited to: SQL and NoSQL injection
  • OS Command injection
  • SSRF and CRLF injection/Request Smuggling
  • DoS (Denial of Service)
  • Abuse of broken authorization: either improper or excessive access, including IDOR
  • Batching Attacks, a GraphQL-specific method of brute force attack
  • Abuse of insecure default configurations

About the OWASP Foundation

OWASP is a nonprofit foundation that works to improve the security of software.

GraphQL OWASP Cheat Sheet screenshots

Looking to integrate with GraphQL APIs?

Discover new APIs and use Apideck Unify to scale your integration strategy

Check it out