Awesome Graphql Security

A curated list of awesome GraphQL Security frameworks, libraries, software and resources

• Awesome Graphql Security
  • Defensive Security Tools
    • Continous Security Testing
    • Authentication & Authorization
  • Offensive Security Tools
    • Discovery
    • Exploitation
    • Vulnerable Applications
  • Resources
    • Vulnerabilities
    • Blogs
  • Contributing

---

Defensive Security

Continous Security Testing

• Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.

Authentication & Authorization

• GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.

Offensive Security

Discovery

• Voyager - Represent any GraphQL API as an interactive graph.
• Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
• Graphw00f - GraphQL Server Engine Fingerprinting utility

Exploitation

• InQL - A Burp Extension for GraphQL Security Testing.
• GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
• GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
• GraphQL Path Enum - Tool that lists the different ways of reaching a given type in a GraphQL schema.

Vulnerable Applications

• Damm Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

Resources

Vulnerabilities

• File Inclusion and Directory Traversal - File Inclusion and Directory Traversal in GraphQL.
• Verbose Errors Suggestions - When GraphQL Error Messages become a Security Issue.
• Aliasing Attacks - Addressing the Security concerns of GraphQL Aliases.
• GraphQL CSRF - Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL
• GraphQL Cyclic Queries and Depth Limiting - The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash.
• HTTPS and GraphQL - How HTTPS can prevent Data Leaks
• SQL Injection - SQL Injections in GraphQL

Blogs

• Access Control Best Practices for GraphQL with Authentication and Authorization - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
• The GraphQL Security Blog - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
• Apollo Blog - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding 👍 to them.

---

If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.