With its flexible querying capabilities, [GraphQL](https://konghq.com/blog/learning-center/graphql)GraphQL makes it easy to combine data from multiple sources into a single endpoint. [GraphQL and API management](https://konghq.com/solutions/api-management-graphql)GraphQL and API management go hand in hand to build next-generation API platforms.
However, GraphQL's features can also introduce security risks if not properly implemented.
In a talk at [API Summit 2023](https://konghq.com/events/conferences/api-summit/register-now)API Summit 2023, Tristan Kalos and Antoine Carossio (co-founders of GraphQL security testing company [Escape](https://escape.tech/)Escape) dug into the most common and most underestimated vulnerabilities unearthed by analyzing over 130,000 public GraphQL endpoints. In their research, which is gathered in [The State of GraphQL Security 2023](https://escape.tech/resources/state-of-graphql-security-2023/)The State of GraphQL Security 2023 report, they identified nearly 50,000 security alerts, 10% of which were critical.
So, how can GraphQL be prone to security issues? And what are the most common vulnerabilities developers need to watch out for? Let's break it down.
GraphQL is vulnerable for two key reasons:
The features in GraphQL that give it flexibility can also be exploited by attackers. For example, GraphQL allows batching and aliasing requests. This lets you send multiple queries in one HTTP request.
This is great for performance. But it also lets attackers bypass rate limiting enforced at the HTTP layer — meaning they can send hundreds of login attempts in one request to brute force credentials.
Another example worth calling out is GraphQL's recursive fragments. These allow developers to reuse query logic. But an unprotected GraphQL engine can be crashed with infinite recursion, creating a denial of service vulnerability.
In GraphQL, every entity can be accessed via multiple paths. This makes it easy for developers to inadvertently expose access to sensitive data.
For instance, an admin mutation could be left unprotected under the assumption it's not publicly accessible. But if another path leads to it, an attacker could discover and abuse it.
Robust access control in GraphQL requires meticulous auditing of all possible paths — which is not exactly a trivial task.
Across over 1,600 scanned production apps, the team at Escape found both GraphQL-specific vulnerabilities along with plenty of classic API vulnerabilities. The most common GraphQL vulnerabilities they encountere include:
The aforementioned batching and aliasing features enable brute-forcing attacks even past rate limits. Expect account takeovers if login mechanisms aren't robust.
Unprotected recursive fragments create crashes. GraphQL's flexibility naturally risks resource exhaustion DoS attacks.
Many GraphQL servers try to hide their schema, but the field suggestion feature can inadvertently leak it. Public tools like [Clarivoyance](https://github.com/nikitastupin/clairvoyance)Clarivoyance automate schema reconstruction. This exposes private mutations. In one case, Escape took over an admin account by finding an unprotected password reset mutation.
Beyond the GraphQL-specific vulnerabilities, Escape also uncovered some classic API security vulnerabilities in their research that can’t be overlooked. Not surprisingly, there was much overlap between the vulnerabilities found and the [OWASP API Security Top 10](https://konghq.com/blog/engineering/owasp-top-10-api-security-2023)OWASP API Security Top 10.
The problem here is that Stack Traces give too much information on what’s vulnerable in your app.
For example, when there’s a GraphQL error, it gives the precise path of the source code that created the problem. Using this, one could get information about the libraries used by this GraphQL endpoint — and then look up vulnerabilities that affect these libraries.
This is very common in GraphQL. Most routes writing data (mutation) aren’t supposed to be accessible without authentication. However, many GraphQL endpoints have bad access control implementation and thus an unauthorized user or a user with low-level authorization can access restricted data.
Believe it or not, injection attacks are still a major issue. Escape’s research uncovered SQL, NoSQL, and even Bash command injections in GraphQL services. This can lead to data theft if developers don't follow secure coding practices.
GraphQL isn't immune to traditional security pitfalls. 40% of the discovered vulnerabilities were classic API issues, like broken authentication and access control. Notably, improper error handling exposed internal API keys and secrets. GraphQL doesn't inherently protect downstream dependencies.
Most alarmingly, Escape’s analysis discovered huge amounts of sensitive data leaked in public GraphQL endpoints, including:
This data exposure could enable account takeovers, cloud resource hijacking, and identity theft. It highlights the pressing need for rigorous security controls in GraphQL services.
GraphQL opens new horizons for API development. With disciplined security practices, you can build the next generation of interfaces while keeping your data safe.
For this and other talks around all things related to APIs, check out on-demand sessions from [API Summit](https://konghq.com/events/conferences/api-summit/register-now)API Summit.
Ensuring secure access to applications and APIs is critical. As organizations increasingly adopt microservices architectures and cloud native solutions, the need for robust, fine-grained access control mechanisms becomes paramount. This is where the
[](https://konghq.com/blog/engineering/secure-access-control-with-opa-and-kong)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-b
[](https://konghq.com/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
With digital transformation shifting networks into the cloud — from remote workforces to online banking — cyberattacks are growing more prevalent and sophisticated. Legacy security models like VPNs and perimeter-based firewalls are proving inadequat
[](https://konghq.com/blog/engineering/microsegmentation-and-zero-trust-security)
As APIs and microservices evolve, the architecture used to secure these resources must also mature. Utilizing a token-based architecture to protect APIs is a robust, secure and scalable approach, and it is also much safer than API keys or basic au
[](https://konghq.com/blog/engineering/token-based-access-control)
As more and more companies move to a multi-cloud strategy and increase usage of a cloud native infrastructure , API providers are under a lot of pressure to deliver APIs at scale in multi-cloud environments. At the same time, APIs should follow eac
[](https://konghq.com/blog/engineering/api-authorization)
In our last Kong and Okta tutorial, we will implement a basic access control policy based on Okta’s groups and planes. This series will show you how to implement service authentication and authorization for Kong Konnect and Okta using the OpenI
[](https://konghq.com/blog/engineering/access-control-policies)
This tutorial will walk through a common use case for the Kong Gateway Key Authentication plugin : using API key authentication to protect a route to an API server endpoint. It’s a simple use case, but it will give you the foundation to deploy and
[](https://konghq.com/blog/engineering/kong-gateway-key-authentication)