GraphQL pentesting focuses on identifying security vulnerabilities in applications that use GraphQL for data querying. Unlike REST APIs, GraphQL allows clients to request specific data, which can expose underlying issues if not properly secured. Key areas of concern include improper authorization checks, excessive data exposure, and insufficient input validation. Pentesters should look for flaws such as introspection queries revealing sensitive schema details, or complex queries leading to denial of service. Ensuring robust input validation, implementing strict authorization checks, and limiting query complexity are essential practices to secure GraphQL endpoints.

🔗 Hacktricks - GraphQL and Security
🔗 Five easy ways to hack GraphQL targets
🔗 Portswigger - Graphql
🔗 ApiSecurity

📱 PayloadsAllTheThings
📱 hacking graphql
📱 Awesome Graphql Security
📱 Hack-graphql

🖤  NahamCon2024: GraphQL is the New PHP
🖤  Finding Your Next Bug: GraphQL
🖤  GraphQL API Pentesting

📕 Black Hat GraphQL
📕 Hacking APIs - Breaking Web Application ...
📕 API Security in Action