A curated list of awesome GraphQL Security frameworks, libraries, software and resources
- GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.
- Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.
- WAF for GraphQL - Web Application Firewall for graphQL APIs
- GraphDNA - Fast GraphQL engine fingerprinting tool using multi heuristics
- Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
- GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.
- Graphw00f - GraphQL Server Engine Fingerprinting utility
- Clairvoyance - Patrial introspection fetcher when introspection is disabled
- GraphQL Path Enum – Tool that lists the different ways of reaching a given type in a GraphQL schema.
- GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
- CrackQL - GraphQL password brute-force and fuzzing utility.
- GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
- GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
- GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
- InQL - A Burp Extension for GraphQL Security Testing.
- Damm Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
- GraphQL Visualizer - Visualize graphql schema
- Voyager - Represent any GraphQL API as an interactive graph.
- Access Control Best Practices for GraphQL with Authentication and Authorization - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
- Apollo Blog - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.
- The GraphQL Security Blog - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
- Aliasing Attacks - Addressing the Security concerns of GraphQL Aliases.
- File Inclusion and Directory Traversal - File Inclusion and Directory Traversal in GraphQL.
- GraphQL CSRF - Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL
- GraphQL Cyclic Queries and Depth Limiting - The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash.
- HTTPS and GraphQL - How HTTPS can prevent Data Leaks
- SQL Injection - SQL Injections in GraphQL
- Verbose Errors Suggestions - When GraphQL Error Messages become a Security Issue.
Your contributions are always welcome! Please take a look at the contribution guidelines first.
We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding 👍 to them.
If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.