Awesome
<!--lint disable awesome-list-item awesome-toc-->Awesome GraphQL Security 
A curated list of awesome GraphQL Security frameworks, libraries, software, and resources.
Contents
Defensive Security
Authentication & Authorization
- GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.
- GraphQL Authz - GraphQL authorization layer
Continous Security Testing
- Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.
- GraphQL Cop - Utility to run common security tests against GraphQL APIs that can be run inside CI/CD.
Middlewares
- GraphQL Armor - Highly customizable security middleware for Apollo GraphQL and Envelop servers.
Security Solutions
- WAF for GraphQL - Web Application Firewall for GraphQL APIs.
Neutral Security
Clients and IDEs
- Postman - Postman is an API platform for developers to design, build, test and iterate their APIs.
- Insomnia - Design and test GraphQL APIs with ease.
- Altair - GraphQL Client helps you debug GraphQL queries and implementations. Also distributed as a Browser Extension.
- Hoppscotch - Online REST and GraphQL client
Self-Discovery
- GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.
Visualizers
- GraphQL Visualizer - Visualize GraphQL schema.
- Voyager - Represent any GraphQL API as an interactive graph.
- GraphQL Inspector – Validate schema, get schema change notifications, validate operations, find breaking changes, look for similar types, schema coverage.
- GraphQL Rover - GraphQL schema viewer for endpoints with introspection
- CraftQL - CLI GraphQL schema viewer, view schema diagram on the terminal or generate graphviz .dot format file
Offensive Security
Discovery
- Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
- Graphw00f - GraphQL Server Engine Fingerprinting utility.
- Clairvoyance - Patrial introspection fetcher when introspection is disabled.
- GraphQL Path Enum – Tool that lists the different ways of reaching a given type in a GraphQL schema.
- ShapeShifter - Schema extraction to JSON file with introspection.
- Goctopus - a GraphQL endpoint discovery and fingerprinting tool.
Exploitation
- GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
- CrackQL - GraphQL password brute-force and fuzzing utility.
- GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
- GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
- GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
- InQL - A Burp Extension for GraphQL Security Testing.
- BatchQL - GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
- GraphQL wordlist - the only GraphQL wordlist for pentesting you'll ever need. Operations, field names, type names. It was collected on more than 60k distinct GraphQL schemas.
Vulnerable Applications
- Damn Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
Resources
Academy
- API Security Academy - Hands-on learning about GraphQL. Each lesson is built around a WebContainer containing a live GraphQL application, so you'll not only understand why a vulnerability is risky, but also how to exploit it and, most importantly, how to fix it.
Blogs
- Access Control Best Practices for GraphQL with Authentication and Authorization - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
- Apollo Blog - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.
- The GraphQL Security Blog - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
- GraphQL for Pentesters - Introduction to Basic Concepts, Security Considerations & Reconnaissance, Vulnerabilities and Attacks, Offensive Tools.
- GraphQL security for decentralized applications (DApps): challenges and best practices - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
Vulnerabilities
- Aliasing Attacks - Addressing the Security concerns of GraphQL Aliases.
- File Inclusion and Directory Traversal - File Inclusion and Directory Traversal in GraphQL.
- GraphQL CSRF - Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL.
- GraphQL Cyclic Queries and Depth Limiting - The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash.
- HTTPS and GraphQL - How HTTPS can prevent Data Leaks.
- SQL Injection - SQL Injections in GraphQL.
- Verbose Errors Suggestions - When GraphQL Error Messages become a Security Issue.
- What are Insecure Direct Object References (IDOR) in GraphQL, and how to fix them - When GraphQL Error Messages become a Security Issue.
Contributing
Your contributions are always welcome! Please take a look at the contribution guidelines first.
We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding :+1: to them.
If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.
🤝 Join our team
We believe it's time to bring more AI-driven innovation to cybersecurity, and we'd love your help in building this dream! Want to join our adventure? Check out our Careers page!