With the increasing number of web platforms built on top of data query and manipulation languages, such as GraphQL.After having conducted numerous engagements in this realm, our security engineers can efficiently combine dynamic testing with static reviews for schemas and data types.
  • Apollo and Others

    Doyensec has developed a unique skill set for reviewing complicated queries and mutations. Our research-driven approach to GraphQL security is the culmination of our experience. We combine techniques and tooling to improve the efficiency of our security testing efforts.

    By leveraging internal framework mechanisms, such as introspection, we ensure both code and attack coverage even in large deployments.We review all application queries and mutations to inspect results and perform extensive authorization testing to highlight insecure direct object reference problems.

    While the language addresses some of the traditional web application vulnerabilities, it opens the door to information leakage and access control flaws. When reviewing GraphQL powered APIs, we particularly focus on those problems.

Information Gathering and Reconnaissance

  • Endpoint and IDE Identification
  • Server Fingerprinting Introspection Query Response Analysis
  • Field and Field Suggestion Probing Mapping Out Application Features and Components
  • Architecture and Threat Mapping
  • Identifying Application Entry Points
  • TLS/SSL Testing
  • Analysis of Error Codes and Stack Traces
  • Validating Debug and Query Tracing Status
  • Mapping the Control Flow


  • Configuration Settings
  • Automatic Persisted Queries
  • Query Depth, Complexity and Cost Limiting
  • Query Timeouts and Pagination Rate Limiting System Resource Limits
  • HTTP Methods, HTTP Verbs
  • File Extension and URL Handlers
  • Cross Domain Policies
  • Legacy and Dead Code
  • Account Suspension/Resumption Process
  • HTTP Strict Transport Security (HSTS)
  • Auditing the User Registration Process
  • Auditing the Account Provisioning Process
  • Enumerating Application Roles


  • Encrypted Transport of Credentials and Sensitive Data
  • User Enumeration
  • Account Lockout
  • Race Conditions
  • Credential Change and Reset
  • Weak CAPTCHA Implementation
  • Authentication Bypasses
  • "Remember Password"
  • Browser Caching
  • Credential Policy
  • Credential Handling and Storage
  • Multiple Factor Authentication
  • Alternative Channel for Authentication


  • Consistent Edge and Node Authorization Checks
  • Authorization Checks for All Available Verbs
  • Directory Traversal/File Inclusion
  • Proper Admin Authorization
  • Authorization Schema Bypass
  • Privilege Escalation
  • Insecure Direct Object References (IDOR)

Session Management

  • Session Management Bypass
  • Cookies without ‘HTTP Only’ and ‘Secure’ Flags
  • Cookie Minting
  • Session Fixation
  • Exposed Session Variables
  • Cross Site Request Forgery (CSRF) Cross Site WebSocket Hijacking
  • Logout Management
  • Session Timeout
  • Session Puzzling

Data Validation

  • Use of Data Typing and Schemas
  • Use of Custom Validators and Scalars
  • Reflected Cross Site Scripting
  • Stored Cross Site Scripting
  • HTTP Verb Tampering
  • HTTP Parameter Pollution
  • XML External Entity (XXE)
  • IMAP/SMTP Injection
  • SQL and NoSQL Injection
  • Second Order Injection Vulnerabilities
  • Code Injection
  • Local and Remote File Inclusion
  • Command Injection
  • HTTP Splitting and Response Smuggling
  • AJAX Weaknesses
  • Format Strings
  • Heap, Stack Buffer Overflows
  • Integer Wrapping


  • Weak SSL/TLS Ciphers
  • Padding Oracle
  • Sensitive information Sent via Unencrypted Channels
  • Entropy Analysis
  • Correct Mode Selection and Application
  • Key Strength
  • Brute Force Attack Resiliency
  • Weaknesses in Integrity, Confidentiality, Authenticity, Availability
  • Various Crypto Attacks (CCA, CPA, COA, KPA, etc.)

Business Logic

  • Business Logic Data Validation
  • File Upload Vulnerabilities
  • Replay Attacks
  • Forging Requests
  • Process Timing
  • Integrity Checks
  • Circumvention of Work Flows
  • Abuse of Functionality

Denial of Service

  • Nested Objects and Queries
  • Batching Attack Resiliency
  • Circular Queries and Fragments
  • Field Duplication
  • Alias and Directive Overloading
  • Pagination Object Limit Overriding
  • Locking Customer Accounts
  • User Input as a Loop Counter
  • Failure to Release Resources
  • Storing Too Much Data in Session
  • User Specified Object Allocation
  • Writing User Provided Data to Disk

our research articles

Research is one of our founding principles and we invest in it heavily. All of our researchers have the privilege to use %25 of their time exclusively for self-directed research.

show more publications