performing-graphql-depth-limit-attack

Featured

Execute and test GraphQL depth limit attacks using deeply nested recursive queries to identify denial-of-service vulnerabilities in GraphQL APIs.

API & Backend 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing GraphQL Depth Limit Attack ## Overview GraphQL depth limit attacks exploit the recursive nature of GraphQL schemas to craft deeply nested queries that consume excessive server resources, leading to denial of service. Unlike REST APIs with fixed endpoints, GraphQL allows clients to request arbitrary data structures. When schemas contain circular relationships (e.g., User -> Posts -> Author -> Posts), attackers can create queries that recurse indefinitely, overwhelming the server's CPU, memory, database connections, and network bandwidth. ## When to Use - When conducting security assessments that involve performing graphql depth limit attack - When following incident response procedures for related security events - When performing scheduled security testing or auditing activities - When validating security controls through hands-on testing ## Prerequisites - Target GraphQL API endpoint with introspection enabled or known schema - GraphQL client tools (GraphiQL, Altair, Insomnia, or curl) - Python 3.8+ with requests library for automated testing - Burp Suite or mitmproxy for traffic analysis - Authorization to perform security testing on the target > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Core Attack Techniques ### 1. Recursive Depth Attack When a GraphQL schema has ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GraphQL · API REST API · API

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

performing-graphql-introspection-attack

Performs GraphQL introspection attacks to extract the full API schema including types, queries, mutations, subscriptions, and field definitions from GraphQL endpoints. The tester uses introspection queries to map the attack surface, identifies sensitive fields and mutations, tests for query depth and complexity limits, and exploits GraphQL-specific vulnerabilities including batching attacks, alias-based brute force, and nested query DoS. Activates for requests involving GraphQL security testing, introspection attack, GraphQL enumeration, or GraphQL API penetration testing.

13,115 Updated today
mukul975
API & Backend Featured

performing-graphql-security-assessment

Assessing GraphQL API endpoints for introspection leaks, injection attacks, authorization flaws, and denial-of-service vulnerabilities during authorized security tests.

13,115 Updated today
mukul975
API & Backend Listed

graphql-security

Security audit for GraphQL APIs covering query depth and complexity limits, introspection exposure, field-level authorization, mutation auth, persisted queries, batching abuse, error message leakage, subscription auth, and Apollo/urql/graphql-yoga/Mercurius/Hasura/PostGraphile-specific patterns. Use this skill whenever the user mentions GraphQL, Apollo Server, Apollo Client, urql, graphql-yoga, Mercurius, Hasura, PostGraphile, Strawberry (Python), gqlgen (Go), resolvers, schema.graphql, .gql files, query depth, query complexity, or asks "audit my GraphQL", "GraphQL security review", "depth limit", "persisted queries". Trigger when the codebase contains `.graphql`/`.gql` files, `apollo-server`, `@apollo/server`, `graphql-yoga`, `mercurius`, or `graphql` packages.

1 Updated 1 weeks ago
hlsitechio
API & Backend Solid

graphql

GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.

27,705 Updated today
davila7
API & Backend Listed

graphql

GraphQL gives clients exactly the data they need - no more, no less. One endpoint, typed schema, introspection. But the flexibility that makes it powerful also makes it dangerous. Without proper controls, clients can craft queries that bring down your server. This skill covers schema design, resolvers, DataLoader for N+1 prevention, federation for microservices, and client integration with Apollo/urql. Key insight: GraphQL is a contract. The schema is the API documentation. Design it carefully.

335 Updated today
aiskillstore