Q18 of 20 · GraphQL

What security risks are specific to GraphQL, and how do you test for them?

GraphQLSeniorgraphqlsecurityseniorapi

Short answer

Short answer: Beyond standard injection, GraphQL adds: introspection exposing the API surface, deeply-nested/expensive queries as a DoS vector, nested-authorisation bypass, and batching abuse. Test introspection per environment, query depth/complexity limits, field-level authz, and injection via variables.

Detail

GraphQL's flexibility creates a distinct security surface. The main risks and their tests:

  1. Introspection exposure__schema reveals the whole API. Test that production disables it (and dev enables it intentionally).
  2. Query depth / complexity DoS — client-built queries can be made arbitrarily expensive. Test that depth and cost limits reject abusive queries.
  3. Nested authorisation bypass — a query traversing into nested fields can leak data if authz is only at the root. Test field/object-level authz (see the nested-authz question).
  4. Injection — SQL/NoSQL injection still applies through resolver arguments. Test that inputs passed as variables are handled safely and that interpolation isn't happening server-side.
  5. Batching abuse — GraphQL allows batched operations/aliases; an attacker can use aliases to brute-force (e.g. many login attempts in one request, bypassing naive rate limits). Test that rate limiting accounts for aliased/batched operations.

Pair this with a tool like Pynt for automated API security scanning driven from functional tests, and standard DAST tooling. The QA mindset: GraphQL's "ask for anything" power is also its attack surface.

// WHAT INTERVIEWERS LOOK FOR

GraphQL-specific risks beyond generic injection — introspection, depth/complexity DoS, nested authz, alias-batching abuse — each with a test.

// Related questions

What is the difference between authentication and authorisation, and how do you test each?

Security

What are query depth and complexity limits, and why test them?

GraphQL