Kali Linux

Graphql-Threat-Matrix : GraphQL Threat Framework Used By Security Professionals

graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations.

The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations.

Legend
✅  – Enabled by Default
⚠️  – Disabled by Default
❌  – No Support

Implementation	Validations	Field Suggestions	Query Depth limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
wp-graphql	38	✅	⚠️	❌	❌	⚠️	⚠️	✅
graphql-php	37	✅	⚠️	⚠️	❌	✅	⚠️	⚠️
Apollo	34	✅	⚠️	⚠️	✅	✅	✅	✅
graphql-yoga	34	✅	⚠️	❌	❌	⚠️	⚠️	⚠️
graphene	34	✅	❌	❌	❌	✅	❌	⚠️
Ariadne	34	✅	⚠️	⚠️	❌	✅	⚠️	❌
Strawberry	34	✅	⚠️	❌	❌	✅	❌	❌
graphql-ruby	28	✅	❌	⚠️	⚠️	✅	❌	✅
Sangria	27	✅	⚠️	⚠️	❌	✅	❌	⚠️
Tartiflette	26	❌	❌	❌	❌	✅	❌	❌
graphql-java	26	✅	⚠️	⚠️	❌	✅	❌	⚠️
gqlgen	25	✅	❌	⚠️	⚠️	✅	⚠️	⚠️
Dgraph	25	✅	❌	❌	⚠️	✅	❌	❌
graphql-go	24	✅	❌	❌	❌	✅	⚠️	❌
juniper	24	❌	❌	❌	❌	✅	❌	⚠️
Diana.jl	10	✅	❌	❌	❌	✅	❌	❌
gql-dart/gql	9	✅	❌	❌	❌	✅	❌	❌
Agoo	1	❌	❌	❌	❌	✅	⚠️	❌