GraphQL OWASP Cheat Sheet
About GraphQL OWASP Cheat Sheet
This Cheat Sheet provides guidance on the various areas that need to be considered when working with GraphQL:
- Apply proper input validation checks on all incoming data. Expensive queries will lead to Denial of Service (DoS), so add checks to limit or prevent queries that are too expensive.
- Ensure that the API has proper access control checks.
- Disable insecure default configurations (e.g. introspection, GraphiQL, excessive errors, etc.).
Common Attacks
- Injection - this usually includes but is not limited to: SQL and NoSQL injection
- OS Command injection
- SSRF and CRLF injection/Request Smuggling
- DoS (Denial of Service)
- Abuse of broken authorization: either improper or excessive access, including IDOR
- Batching Attacks, a GraphQL-specific method of brute force attack
- Abuse of insecure default configurations
About the OWASP Foundation
OWASP is a nonprofit foundation that works to improve the security of software.