Common GraphQL Misconceptions: A rant

Let’s talk about GraphQL, and how evil or good it is — a hot take from a developer cum pentester ;)

Common GraphQL Misconceptions

Clearing Misconceptions

Image Credits: SecurityGOAT (that’s me ;)

GraphQL is quite insecure!!

https://graphql.org/learn/authorization/

GraphQL sends queries directly to the database, you can’t control what people access!

GraphQL exposes your entire database.

GraphQL means you have to use a graph database

Don’t use GraphQL, it has a huge attack surface!

Introspection is the real GraphQL evil — it exposes all your sensitive fields and let’s attacker read all the data.

GraphQL’s autocorrection can also expose your schema and leak info about your APIs!

Rant Time? Let’s do it!

When is GraphQL an issue for me?

Closing Thoughts

Wannabe Hacker! Teaching Infosec in my own insightful ways :) Twitter: twitter.com/_SecurityGOAT | Support: buymeacoffee.com/SecurityGOAT