GraphQL injection covers abuse of a GraphQL endpoint's flexible query language, including leaking the schema via introspection, sending nested or batched queries to overload the server, and slipping unsanitized arguments into resolvers that hit a SQL or NoSQL backend. The single /graphql endpoint and rich queries widen the attack surface.
The GraphQL Injection generator emits a full introspection query against __schema and __type to enumerate every type, field, and mutation, plus the lighter __typename probe. If introspection is disabled, use the suggestion-based field guessing and error-message leakage payloads it provides to map the API.
Because GraphQL accepts arrays of operations and arbitrary field aliases, you can send hundreds of mutations in one request to brute-force logins or 2FA codes while bypassing per-request rate limits. Deeply nested or recursive queries also enable denial-of-service, so test for query depth limits, cost analysis, and aliasing-based amplification.
Yes. It is free and runs entirely in your browser with no data leaving your machine, keeping your target endpoints confidential. Run the generated introspection and batching payloads only against GraphQL APIs you have written permission to test.