GraphQL Security Scan
Discovers a GraphQL endpoint (or uses the URL you provide) and checks the classic GraphQL exposures — introspection, error-based field suggestions, GET-based execution (CSRF), and array batching (brute-force / rate-limit amplification). All probes are benign read-only queries.
GraphQL Security Scan is a Pro tool
Specialized scans are part of ONEROXE Pro. Sign in and upgrade to run the graphql security scan.
- ✓GraphQL endpoint auto-discovery across common paths
- ✓Introspection enabled (full schema readable)
- ✓Error-based field suggestions ("Did you mean …")
- ✓GET-based query execution (CSRF / cache leakage)
https://example.com/ — sample finding evidencePro from ₹349/mo ($12/mo).
What this assesses
How it works
Read-only· benign queries only, nothing replayed at volume- 1We discover the GraphQL endpoint (or use the URL you give us) and send a standard introspection query.
- 2We check the classic exposures: full introspection, error-based field suggestions, GET-based execution (CSRF risk) and array batching (brute-force amplification).
- 3All probes are benign read-only queries — no mutations are sent and nothing is replayed at volume.
Why it matters
GraphQL’s flexibility is also its risk: introspection hands attackers your whole schema, batching turns one request into thousands of login attempts, and GET execution opens CSRF. These are config-level issues that are easy to fix once you can see them.
Frequently asked questions
Is this scan safe to run?
Yes — every probe is a small, benign read-only query (typename, introspection, a 2-item batch). Nothing is mutated and nothing is replayed at volume.
It can’t find my endpoint — what do I do?
Pass the full endpoint URL (e.g. https://api.example.com/graphql) instead of just the domain. Auto-discovery only tries common paths.
Should introspection always be off?
In production, generally yes — it exposes your entire schema. Keep it for local/staging, and disable it (plus field suggestions) in production to slow down attackers.