Traditional REST APIs have multiple endpoints (`/api/users`, `/api/products`). GraphQL has ONE endpoint (usually `/graphql`). You send a query defining exactly what data you want, and the server returns exactly that. This flexibility is a nightmare for security teams and a goldmine for hackers.
1. Introspection (The Rosetta Stone)
GraphQL has a built-in feature called Introspection. It allows you to ask the API: "What queries do you support?"
Developers often forget to disable this in production.
By sending a special query, you can dump the entire database schema, identifying hidden fields like `isAdmin`, `videoDownloadUrl`, or `internal_notes`.
2. Batching Attacks (Bypassing Rate Limits)
In REST, if you want to brute force a 2FA code, you make 10,000 HTTP requests. The WAF (Firewall) sees this and bans you.
In GraphQL, you can bundle 10,000 queries into ONE HTTP POST request.
The WAF sees 1 request. The GraphQL server processes 10,000 operations.
3. Nested Recursion DOS
GraphQL allows relationships. A User has Friends. Friends are Users. Users have Friends.
If the server doesn't limit "Query Depth", you can crash the server (Denial of Service) with circular logic.
The database attempts to join the table 1,000 times. The CPU spikes to 100%. The server dies.
4. IDOR in GraphQL
In REST, you change `/users/1` to `/users/2`.
In GraphQL, it's just as easy, but often overlooked because the request is in the JSON body, not the URL.
Look for arguments like `id`, `uuid`, or `email` in Queries and Mutations.
Example: `query { user(id: 5) { email credit_card } }`
The Toolkit
Don't hack manually. Use these tools:
1. InQL (Burp Suite Extension): The standard. Visualizes the schema.
2. GraphQL Voyager: Turns the Introspection JSON into a beautiful interactive graph.
3. Clairvoyance: Can sometimes reconstruct the schema even if Introspection is disabled (by guessing field names).