42Crunch for GraphQL gateways

Try middleBrick free

What middleBrick covers

  • Schema introspection mapping and type exposure analysis
  • Query complexity estimation and pagination gap detection
  • Field-level authorization checks across roles
  • Input validation probing without destructive payloads
  • Transport security and header validation
  • Authenticated scanning with domain verification gate

GraphQL Introspection and Type Exposure

GraphQL endpoints often expose type information through introspection, which can reveal field names, relationships, and query capabilities. middleBrick checks whether introspection is enabled in production and maps the schema to identify potentially sensitive types.

  • Detects open introspection queries and lists object types, interfaces, and input fields.
  • Flags verbose error messages that disclose resolver behavior or internal paths.
  • Identifies common patterns such as nested objects that may enable deep data inference.

By comparing the resolved schema with defined security rules, the scanner surfaces findings relevant to access control over types and operations.

Query Complexity and Resource Consumption

GraphQL queries can be crafted to request deeply nested fields or large lists, leading to high server resource usage. middleBrick analyzes operation depth, complexity hints, and requested field counts to highlight resource-intensive patterns.

  • Estimates query complexity based on field count and nesting depth heuristics.
  • Flags operations that request unbounded lists without pagination arguments.
  • Identifies missing cost analysis on the server side, which can enable denial-of-service scenarios.

The scanner supports read-only methods only and does not execute payloads that modify state.

Authorization and Field-Level Access Control

GraphQL APIs often lack fine-grained field-level authorization, returning data that a caller should not see. middleBrick probes queries with different role contexts to detect over-exposed fields and missing authorization checks.

  • Tests queries that request sensitive fields such as internal IDs, emails, or payment indicators.
  • Checks whether server responses differ across authenticated contexts for the same operation.
  • Helps surface findings aligned with security controls described in OWASP API Top 10.

Note that business logic nuances requiring domain understanding are outside the scope of automated detection.

Input Validation and Injection Surface

GraphQL input types can be abused to probe for injection or parsing anomalies. middleBrick sends benign, malformed, and boundary-case inputs to identify weak validation layers.

  • Tests scalar inputs such as integers, strings, and IDs with oversized or malformed values.
  • Checks for verbose error messages that reveal internal stack traces or resolver details.
  • Validates handling of special characters and encodings without executing destructive payloads.

The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope.

Authentication, Security Headers, and Transport Safety

GraphQL APIs may rely on HTTP headers or cookies for authentication, and transport misconfigurations can expose data. middleBrick verifies the presence of security headers and checks transport-level protections.

  • Validates HTTPS usage and HSTS presence when endpoints are served over HTTP.
  • Checks cookie flags such as Secure and HttpOnly where applicable.
  • Maps authentication mechanisms and flags missing security headers relevant to API safety.

Authenticated scanning is available in Starter tier and above, requiring domain verification to ensure credentials are tested only against authorized hosts.

See how middleBrick compares See all use cases

Frequently Asked Questions

Does middleBrick test for business logic flaws in GraphQL resolvers?
No. The scanner detects structural and configuration issues but does not assess business logic, which requires domain context and human analysis.
Can GraphQL mutations and destructive operations be tested?
No. middleBrick uses read-only methods only and never sends payloads that mutate data or change server state.
How does the scanner handle deeply nested or recursive queries?
It estimates complexity and flags operations that request large or unbounded data sets without relying on runtime execution of hazardous payloads.
Does middleBrick support authenticated scans for GraphQL APIs?
Yes, authenticated scanning is available in Starter tier and above for Bearer, API key, Basic auth, and Cookie mechanisms after domain verification.

Related Pages

middleBrick vs DetectifyHonest comparison between middleBrick and Detectify for API security.middleBrick vs Noname SecurityHonest comparison between middleBrick and Noname Security for API security.middleBrick vs Salt SecurityHonest comparison between middleBrick and Salt Security for API security.