Graphql-Threat-Matrix : GraphQL Threat Framework Used By Security Professionals

graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations.

The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations.

Legend
✅  – Enabled by Default
⚠️  – Disabled by Default
❌  – No Support

Implementation	Validations	Field Suggestions	Query Depth limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
wp-graphql	38	✅	⚠️	❌	❌	⚠️	⚠️	✅
graphql-php	37	✅	⚠️	⚠️	❌	✅	⚠️	⚠️
Apollo	34	✅	⚠️	⚠️	✅	✅	✅	✅
graphql-yoga	34	✅	⚠️	❌	❌	⚠️	⚠️	⚠️
graphene	34	✅	❌	❌	❌	✅	❌	⚠️
Ariadne	34	✅	⚠️	⚠️	❌	✅	⚠️	❌
Strawberry	34	✅	⚠️	❌	❌	✅	❌	❌
graphql-ruby	28	✅	❌	⚠️	⚠️	✅	❌	✅
Sangria	27	✅	⚠️	⚠️	❌	✅	❌	⚠️
Tartiflette	26	❌	❌	❌	❌	✅	❌	❌
graphql-java	26	✅	⚠️	⚠️	❌	✅	❌	⚠️
gqlgen	25	✅	❌	⚠️	⚠️	✅	⚠️	⚠️
Dgraph	25	✅	❌	❌	⚠️	✅	❌	❌
graphql-go	24	✅	❌	❌	❌	✅	⚠️	❌
juniper	24	❌	❌	❌	❌	✅	❌	⚠️
Diana.jl	10	✅	❌	❌	❌	✅	❌	❌
gql-dart/gql	9	✅	❌	❌	❌	✅	❌	❌
Agoo	1	❌	❌	❌	❌	✅	⚠️	❌

For Penetration Testers

Use graphw00f to fingerprint a target GraphQL API and determine the backend implementation.

Related

Graphw00F : GraphQL fingerprinting tool for GQL endpoints

September 22, 2021

In "Kali Linux"

Damn Vulnerable GraphQL Application

February 19, 2021

In "Kali Linux"

GraphQL Cop : Security Auditor Utility For GraphQL APIs

April 11, 2022

In "Kali Linux"

R K

Next PEzor-Docker : With The Help Of This Docker Image, You Can Easily Access PEzor On Your System! »

Previous « Malicious-Pdf : Generate A Bunch Of Malicious Pdf Files With Phone-Home Functionality

Leave a Comment

Share

Published by

R K

Tags: FrameworkGraphQLGraphql-Threat-MatrixSecurity Professionals

4 years ago

Recent Posts

Tutorials

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

9 hours ago

How To

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

19 hours ago

How To

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

20 hours ago

How To

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

21 hours ago

How To

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

21 hours ago

How To

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

22 hours ago

L