What is GraphQL introspection and why is it a security risk?

GraphQL introspection is a built-in feature that allows querying the schema itself — listing all types, fields, and arguments. When left enabled in production, it gives attackers a complete map of the API surface, making it easier to find injection points, hidden fields, and authorization bypass opportunities.

What is a GraphQL batching attack?

GraphQL supports sending multiple operations in a single HTTP request — either as a JSON array (array batching) or using aliases within a single query (alias batching). Attackers abuse this to bypass per-request rate limits, brute-force login forms, or enumerate OTP codes without triggering rate limiting.

How does GraphQL field fuzzing work?

Field fuzzing involves requesting fields that are not documented but may still be resolved by the server. Sensitive fields like password, token, apiKey, ssn, and adminNotes are often added during development and never removed. This tool generates queries that probe for these fields on any type you specify.

Can GraphQL APIs be vulnerable to CSRF?

Yes. If a GraphQL API accepts GET requests for mutations, or accepts application/json POST requests from cross-origin without proper CORS and CSRF tokens, it can be exploited via CSRF. Using text/plain as Content-Type bypasses CORS preflight entirely, which is a common GraphQL CSRF vector.

GraphQL Security Tester

Test GraphQL endpoints for common security vulnerabilities. Generate introspection queries with bypass techniques, ready-to-use attack payloads (batching, injection, IDOR, DoS, CSRF), field fuzzing queries for hidden sensitive data, and security header combinations. All client-side — nothing is sent to any server. For authorized testing only.

X LinkedIn Reddit

Target Endpoint

Enter your target endpoint to generate ready-to-run curl commands. All queries run in your terminal — nothing is sent from this page.

Standard Introspection Query

The full GraphQL introspection query — dumps the entire schema including types, fields, arguments, and directives.

query IntrospectionQuery {
  __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}

fragment InputValue on __InputValue {
  name
  description
  type { ...TypeRef }
  defaultValue
}

fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

Ready-to-Run curl Command

curl -s -X POST 'https://target.com/graphql' \
  -H 'Content-Type: application/json' \
  -d '{"query":"query IntrospectionQuery {\n  __schema {\n    queryType { name }\n    mutationType { name }\n    subscriptionType { name }\n    types {\n      ...FullType\n    }\n    directives {\n      name\n      description\n      locations\n      args {\n        ...InputValue\n      }\n    }\n  }\n}\n\nfragment FullType on __Type {\n  kind\n  name\n  description\n  fields(includeDeprecated: true) {\n    name\n    description\n    args {\n      ...InputValue\n    }\n    type {\n      ...TypeRef\n    }\n    isDeprecated\n    deprecationReason\n  }\n  inputFields {\n    ...InputValue\n  }\n  interfaces {\n    ...TypeRef\n  }\n  enumValues(includeDeprecated: true) {\n    name\n    description\n    isDeprecated\n    deprecationReason\n  }\n  possibleTypes {\n    ...TypeRef\n  }\n}\n\nfragment InputValue on __InputValue {\n  name\n  description\n  type { ...TypeRef }\n  defaultValue\n}\n\nfragment TypeRef on __Type {\n  kind\n  name\n  ofType {\n    kind\n    name\n    ofType {\n      kind\n      name\n      ofType {\n        kind\n        name\n        ofType {\n          kind\n          name\n          ofType {\n            kind\n            name\n            ofType {\n              kind\n              name\n              ofType {\n                kind\n                name\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}"}'

Selection Set Only (for JSON body)

The raw selection set for embedding in a JSON body: "query": "{ __schema { ... } }"

{
  "__schema": {
    "queryType": { "name": null },
    "mutationType": { "name": null },
    "subscriptionType": { "name": null },
    "types": {
      "kind": null,
      "name": null,
      "description": null,
      "fields": {
        "name": null,
        "description": null,
        "args": {
          "name": null,
          "description": null,
          "type": {
            "kind": null,
            "name": null,
            "ofType": {
              "kind": null,
              "name": null,
              "ofType": {
                "kind": null,
                "name": null,
                "ofType": { "kind": null, "name": null }
              }
            }
          },
          "defaultValue": null
        },
        "type": {
          "kind": null,
          "name": null,
          "ofType": {
            "kind": null,
            "name": null,
            "ofType": {
              "kind": null,
              "name": null,
              "ofType": { "kind": null, "name": null }
            }
          }
        },
        "isDeprecated": null,
        "deprecationReason": null
      },
      "inputFields": null,
      "interfaces": null,
      "enumValues": null,
      "possibleTypes": null
    },
    "directives": {
      "name": null,
      "description": null,
      "locations": null,
      "args": {
        "name": null,
        "description": null,
        "type": {
          "kind": null,
          "name": null,
          "ofType": {
            "kind": null,
            "name": null,
            "ofType": {
              "kind": null,
              "name": null,
              "ofType": { "kind": null, "name": null }
            }
          }
        },
        "defaultValue": null
      }
    }
  }
}

Bypass Techniques (when introspection is disabled)

Related Tools

HTTP Request Parser

Parse raw HTTP requests and auto-extract security details.

CORS Misconfiguration Scanner

Test URLs for CORS misconfigurations with exploit code.

Callback Catcher Helper

Generate callback payloads for OOB testing and exfiltration.

Regex Tester

Live regex testing with match highlighting and pentest patterns.

$loading...

GraphQL Security Tester

query IntrospectionQuery { __schema { queryType { name } mutationType { name } subscriptionType { name } types { ...FullType } directives { name description locations args { ...InputValue } } } } fragment FullType on __Type { kind name description fields(includeDeprecated: true) { name description args { ...InputValue } type { ...TypeRef } isDeprecated deprecationReason } inputFields { ...InputValue } interfaces { ...TypeRef } enumValues(includeDeprecated: true) { name description isDeprecated deprecationReason } possibleTypes { ...TypeRef } } fragment InputValue on __InputValue { name description type { ...TypeRef } defaultValue } fragment TypeRef on __Type { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name ofType { kind name } } } } } } } }

curl -s -X POST 'https://target.com/graphql' \ -H 'Content-Type: application/json' \ -d '{"query":"query IntrospectionQuery {\n __schema {\n queryType { name }\n mutationType { name }\n subscriptionType { name }\n types {\n ...FullType\n }\n directives {\n name\n description\n locations\n args {\n ...InputValue\n }\n }\n }\n}\n\nfragment FullType on __Type {\n kind\n name\n description\n fields(includeDeprecated: true) {\n name\n description\n args {\n ...InputValue\n }\n type {\n ...TypeRef\n }\n isDeprecated\n deprecationReason\n }\n inputFields {\n ...InputValue\n }\n interfaces {\n ...TypeRef\n }\n enumValues(includeDeprecated: true) {\n name\n description\n isDeprecated\n deprecationReason\n }\n possibleTypes {\n ...TypeRef\n }\n}\n\nfragment InputValue on __InputValue {\n name\n description\n type { ...TypeRef }\n defaultValue\n}\n\nfragment TypeRef on __Type {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n ofType {\n kind\n name\n }\n }\n }\n }\n }\n }\n }\n}"}'

{ "__schema": { "queryType": { "name": null }, "mutationType": { "name": null }, "subscriptionType": { "name": null }, "types": { "kind": null, "name": null, "description": null, "fields": { "name": null, "description": null, "args": { "name": null, "description": null, "type": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null } } } }, "defaultValue": null }, "type": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null } } } }, "isDeprecated": null, "deprecationReason": null }, "inputFields": null, "interfaces": null, "enumValues": null, "possibleTypes": null }, "directives": { "name": null, "description": null, "locations": null, "args": { "name": null, "description": null, "type": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null, "ofType": { "kind": null, "name": null } } } }, "defaultValue": null } } } }