Hackfest 2024 - 16-bit Edition

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Challenges of GraphQL security in 2024
10-12, 16:30–17:20 (America/New_York), Track 1 (206b)
Language: English

GraphQL’s capability to fetch precisely what’s needed and nothing more, its efficient handling of real-time data, and its ease of integration with modern architectures make it a compelling choice for modern web and mobile applications. As developers seek more efficiency and better performance from their applications, GraphQL is increasingly becoming the go-to technology for API development. However, building and maintaining GraphQL applications requires careful consideration of security.

In this talk, security engineers will strengthen their GraphQL security skills by learning key techniques such as complexity management, batching, aliasing, sanitization, and depth limit enforcement. They will also learn to implement customizable middleware with their development team, like GraphQL Armor, for various GraphQL server engines.

Participants will explore different techniques and packages, and apply them to enhance the safety of their GraphQL applications. By the end of the talk, attendees will be equipped with practical knowledge to build secure and efficient GraphQL APIs.


  1. Research Background
    In this section, we will set the stage by discussing the motivation and context behind our research. We’ll explore why GraphQL is rapidly gaining traction in modern web and mobile applications, emphasizing its benefits such as precise data fetching, real-time data handling, and seamless integration with contemporary architectures. This section will highlight the importance of security in GraphQL applications, given their growing use and the complexity of their implementations. We'll also discuss the research scope—analyzing 13,000 GraphQL issues from public APIs—to give the audience a sense of the scale and depth of the study.

  2. Methodology
    2a. What is Discovery & Fingerprinting?
    In this sub-section, we will explain the concepts of discovery and fingerprinting in the context of GraphQL APIs. We’ll define these terms and explain their significance in the security domain

2b. Why is it Needed?
Here, we’ll discuss why discovery and fingerprinting were critical for discovering GraphQL endpoints.

2c. How We Combined Subdomain Enumeration, Fingerprinting, and Various OSINT Techniques
This sub-section will describe the innovative approach we used to discover exposed GraphQL APIs. We’ll explain how we integrated subdomain enumeration—a process of listing all subdomains associated with a domain—with AI-powered fingerprinting tools and OSINT (Open Source Intelligence) techniques. The audience will gain insights into the technical process and tools that enabled us to uncover GraphQL endpoints without prior configuration.

  1. Key Findings
    3.a. Analysis of Key Vulnerabilities
    In this section, we will present the key vulnerabilities uncovered during our research. By analyzing the 13,000 GraphQL issues, we will identify patterns and common security pitfalls. This analysis will be data-driven, showcasing the types of vulnerabilities most frequently encountered and their potential impact on GraphQL applications.

3.b. Focus on Unrestricted Resource Consumption
Here, we will zoom in on one of the most common vulnerabilities found: unrestricted resource consumption. We will discuss how attackers can exploit GraphQL’s flexibility to craft complex queries that consume excessive server resources, leading to denial-of-service (DoS) attacks.

3.c. Focus on Schema Availability
This sub-section will examine another major vulnerability—schema availability. We’ll explain how the availability of the GraphQL schema can give attackers valuable insights into the API’s structure, leading to potential exploitation.

  1. GraphQL-specific Vulnerabilities
    In this section, we will dive deeper into vulnerabilities unique to GraphQL, distinguishing them from traditional REST API vulnerabilities. We will discuss issues such as query depth, recursion, and introspection queries, explaining how they can be exploited if not properly managed. The aim here is to provide the audience with a clear understanding of the security challenges that are specific to GraphQL implementations.

  2. Sensitive Data Exposed
    This section will focus on instances where sensitive data was exposed through poorly secured GraphQL APIs.

  3. Best Practices for GraphQL Security
    6a. For Security Engineers
    In this sub-section, we will outline specific best practices that security engineers can adopt to secure GraphQL APIs.

6b. To Implement in Development Process
Here, we will focus on best practices that developers should integrate into their development process. This will include guidance on secure schema design, validating and sanitizing inputs, and leveraging existing security frameworks and tools like GraphQL Armor.

  1. Future Research Directions
    In the final section, we will discuss the future of GraphQL security research. We’ll also share our research goals and encourage the community to engage in collaborative efforts to enhance GraphQL security.

Are you releasing a tool? – no

Antoine is cofounder & CTO of Escape. He is a former French National Secret Agency and Apple security engineer and penetration tester. He is one of the maintainers of Clairvoyance and the co-author of GraphQL Armor.