We’re proud to announce that Inigo has been named one of the very few DevOps Dozen finalists in the Best New DevOps Tools category.

Experimenting with Operation Name characters. Despite the specification describing what characters should and should not be interpreted, there are deviations from the norm. This is why it is important to know your implementation well.

Watch out from array batching. It is possible to batch queries together by adding them to an array and sending them to a GraphQL server. This option is not available in all implementations and also isn’t specifically mentioned in the GraphQL specification.

GraphQL isn’t immune to vulnerabilities, it may suffer from them just like any other API technologies such as REST, SOAP, gRPC, or others, but there are some unique and interesting possibilities that open up to hackers when GraphQL is present on the target they are interested in compromising.

We spent a few days examining data from two main sources: The CVE database by MITRE and the HackerOne Hacktivity portal to see what we can learn from analyzing GraphQL vulnerability data.

It’s not enough to know how GraphQL works and how it can be attacked, what also matters a lot is whether security professionals have the necessary tools to identify suspicious queries, exploitation attempts, and solutions to protect against GraphQL-tailored attacks.

You’ve identified a GraphQL server, now what? Well, the next step in the process is to learn all you can about the specific server.

Threat actors are after your APIs. Whether it’s your data that they’re interested in, or abusing your services for their financial gain.

GraphQL DoS (Denial of Service) attacks target GraphQL parsers, GraphQL resolvers, and the underlying DBs in a single API call.

It is possible to protect your server from GraphQL's attack surfaces with a set of guardrails and GraphQL usage-based rate-limiting.

A closer look at how granular access control can help protect from weaknesses around Introspection, field suggestions, and field fuzzing.

Like any new technology, security awareness is often lagging behind adoption. For this reason, GraphQL attack surfaces are bound to unfold for many of its users.