GraphQL APIs introduce security challenges distinct from REST: introspection queries can reveal the entire API schema, deeply nested queries can cause denial of service through resource exhaustion, batching enables credential brute-force in a single request, and the flexible query structure makes authorisation enforcement more complex. Testing covers: introspection disclosure, query depth and complexity limits, authorisation at the field level (not just endpoint level), injection through query variables, batching abuse, and rate limiting effectiveness for a query language that doesn't have fixed endpoints.
Technical
GraphQL API Security Testing: Unique Vulnerabilities Beyond REST for Philippine Enterprises
GraphQL introduces security challenges different from REST APIs. Introspection, query depth, batching attacks, and authorisation bypass. Guidance for PH market.