Guides
GraphQL Testing

GraphQL Testing

NAT provides specialized support for GraphQL APIs, including schema introspection, query fuzzing, injection detection, and authorization testing unique to GraphQL.

Quick start

nat scan --url https://api.example.com/graphql --graphql

NAT detects the GraphQL endpoint automatically when --graphql is set. If your endpoint is at a non-standard path, provide it with --graphql-endpoint:

nat scan --url https://api.example.com \
  --graphql \
  --graphql-endpoint /api/graphql

Schema introspection

NAT uses GraphQL introspection to discover the full schema — all types, queries, mutations, and subscriptions:

nat scan --url https://api.example.com/graphql --graphql

If introspection is disabled (common in production), provide the schema directly:

nat scan --url https://api.example.com/graphql \
  --graphql \
  --graphql-schema ./schema.graphql

If introspection is disabled on your production endpoint, NAT will still test via query fuzzing — but providing a schema significantly increases coverage.

What NAT tests in GraphQL APIs

Authorization

TestDescription
Object-level authAccess other users' data through direct ID substitution
Field-level authQuery sensitive fields not intended for your role
Mutation authExecute mutations your role shouldn't allow
Subscription authSubscribe to events your role shouldn't see

Injection

TestDescription
SQL injectionInjected SQL in string arguments resolved by a database
NoSQL injectionMongoDB/DynamoDB operator injection
Directive injectionMalicious directives in queries
Alias-based injectionBypass rate limiting via query aliases

DoS / Resource exhaustion

TestDescription
Query depthDeeply nested queries that trigger N+1 problems
Query complexityHigh-complexity queries without complexity limits
Batching attacksBatch multiple expensive operations in one request
Alias amplificationUse aliases to repeat expensive resolvers in one request

Information disclosure

  • Schema leakage when introspection should be disabled
  • Verbose error messages exposing resolver details
  • Debug fields (__typename abuse, __schema leakage)

Authentication with GraphQL

Most GraphQL APIs use token-based authentication:

nat scan --url https://api.example.com/graphql \
  --graphql \
  --auth-type bearer \
  --token "$TOKEN"

For multi-user authorization testing, provide a second token:

nat scan --url https://api.example.com/graphql \
  --graphql \
  --auth-type bearer \
  --token "$USER_A_TOKEN" \
  --secondary-token "$USER_B_TOKEN"

This enables NAT to test cross-user resource access (BOLA) in GraphQL.

Custom queries

You can seed NAT with example queries and mutations to improve test quality:

nat scan --url https://api.example.com/graphql \
  --graphql \
  --graphql-queries ./example-queries.graphql

Example queries file:

# example-queries.graphql
query GetUser {
  user(id: "1") {
    id
    email
    name
    orders {
      id
      total
    }
  }
}
 
mutation CreateOrder($input: OrderInput!) {
  createOrder(input: $input) {
    id
    status
  }
}

Output and reporting

GraphQL findings are reported with the same severity scale as REST findings:

[HIGH]  query GetUser — Broken Object Level Authorization
        User A can access User B's order history via user(id: "...") query
[MED]   query ListProducts — Unrestricted Query Depth
        Depth-10 nested query executes without error or complexity limit
[LOW]   __schema — Introspection enabled in production

Disabling introspection (recommended for production)

If NAT finds that introspection is enabled on your production endpoint, you should disable it:

# Apollo Server (Node.js)
const server = new ApolloServer({
  schema,
  introspection: process.env.NODE_ENV !== 'production',
})
# Graphene (Python)
schema = graphene.Schema(query=Query, mutation=Mutation)
app = GraphQL(schema, introspection=False)
⚠️

Disabling introspection is a security hardening measure but is not a substitute for proper authorization controls. NAT will continue testing your API through query fuzzing even when introspection is disabled.

Next steps

REST API TestingSecurity Scanning