- Similar to the normal information disclosure via error triggering.
- Provide malformed or unexpected input within GraphQL queries.
- Sometimes you may observe verbose error messages revealing sensitive information.
- Due to an improper limit on the maximum query depth, it might be possible to perform a denial of service in graphql implementation.
- Nest a query to unlimited depth and send this query on a GraphQL endpoint to observe anything suspicious.
- A good example: https://owasp-skf.gitbook.io/asvs-write-ups/kbid-285-graphql-dos
- Similar to normal API like IDORs
- A good example: https://owasp-skf.gitbook.io/asvs-write-ups/kbid-285-graphql-idor
- https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application