GraphQL Security Suite — Free Web Security Audit tool · XowiaScan

What is GraphQL Security Suite?

GraphQL Security Suite analyses a GraphQL API the way you would in a real engagement: start from the schema, find the dangerous mutations, work out the depth and batching surface, and walk away with the exact queries to test on your own machine.

It runs in two modes. Paste introspection JSON takes a schema you already captured in Burp or DevTools and parses it locally — zero target traffic. Fetch endpoint sends one standard introspection POST (plus one benign GET probe to check CSRF-over-GET), guarded against internal addresses, and analyses the schema it gets back.

The output is the same shape as the rest of the suite — a graded summary, a severity-ranked findings list, a complete Query / Mutation / Subscription map and a tab full of attack queries you can copy into Burp or curl.

What it checks

Introspection in production — the single biggest GraphQL leak; flagged as soon as the endpoint hands you a full schema unauthenticated.
Dangerous mutations — delete*, update*, admin*, setRole, impersonate, refund and friends are highlighted as authorization candidates.
Sensitive fields exposed — password, token, secret, ssn, apiKey, privateKey queryable on an OBJECT type is direct sensitive-data exposure.
Deep-query & batching DoS — detects circular / object-to-object relationships and warns when depth or complexity limits are likely missing.
Aliasing brute-force — explains why HTTP-request-count rate limits are not enough on GraphQL, and generates a 100-alias query to prove it.
CSRF over GET — probes whether the endpoint will execute a query sent as ?query=..., which makes mutations reachable cross-site.
Attack queries on tap — aliasing batch, deep nesting along self-referential fields, JSON-array batching and a one-line introspection curl.

Where it fits in your workflow

→Open every GraphQL endpoint you discover with the Vulnerability Scanner or HTTP ProbeMaster here first — schema-side issues turn into a finding faster than fuzzing the resolvers.
→After the schema scan, run the generated aliasing / depth queries from your machine to see whether the server actually enforces a complexity budget.
→Pair with the LLM / Prompt Injection Kit when the GraphQL API is fronted by an AI feature — both surfaces tend to ship together and both leak via introspection-style queries.

Use GraphQL Security Suite

Run it from your dashboard.

Create free account Sign in Use via API

At a glance

CategoryWeb Security Audit

RunsServer-side

Token cost 4 / run (free tier)

Access Pro

Status● Live

Frequently asked questions

Does fetch mode count as active scanning?

It sends one standard introspection POST and one harmless GET probe — the same traffic Apollo Sandbox or GraphQL Playground send. Internal / private hosts are refused. This is consistent with how the Vulnerability Scanner and CSP Evaluator already fetch their targets.

Introspection is disabled in production. Is this tool still useful?

Yes — paste any schema you captured in dev / staging, or any introspection response your interception proxy collected. Disabling introspection in production is good practice but rarely blocks field-name brute-forcing through suggestions; bring the dev schema and use it as a map.

Why are the attack queries generated client-side instead of fired?

XowiaScan never actively pounds your target. The aliasing / depth / batching queries are testing DoS surface — those need to come from your machine, in your engagement window, with your throttling. The tool gives you the exact query; you choose when to send it.