Does this skill help prevent Denial of Service (DoS) attacks?

It helps identify vulnerabilities to DoS by testing how the API handles deeply nested queries and field duplication, allowing developers to implement proper depth limits.

Is this skill intended for malicious use?

No, this skill is designed for authorized security professionals and developers to perform ethical security audits and harden API defenses with proper permission.

Can this skill be used if introspection is disabled?

Yes, the skill includes techniques like 'Clairvoyance' or field suggestion brute-forcing to attempt schema reconstruction through error messages even when introspection is turned off.

What are sensitive indicators in a GraphQL schema?

Sensitive indicators include field or type names like 'password', 'token', 'admin', 'secret', or 'creditCard' that might expose PII or administrative controls.

What is GraphQL introspection and why test it?

Introspection is a GraphQL feature that allows clients to query the schema for its structure. Testing it ensures that internal API details aren't inadvertently exposed to unauthorized users.

GraphQL Security Auditor

Name: GraphQL Security Auditor
Author: micsapp

bymicsapp

0•

Seguridad y Pruebas

Performs automated GraphQL schema extraction and vulnerability assessments to secure API endpoints against common attack vectors.

The GraphQL Security Auditor skill is a specialized tool designed for security researchers and developers to evaluate the resilience of GraphQL APIs. It automates the discovery of endpoints, extracts comprehensive schemas via introspection, and identifies sensitive data exposures within types and mutations. By simulating advanced testing techniques—such as query depth analysis, alias-based batching, and schema reconstruction—this skill helps teams proactively identify and mitigate risks like resource exhaustion and unauthorized data access in their GraphQL implementations.

Características Principales

01Security testing for query depth limits, batching attacks, and DoS vulnerabilities

02Schema reconstruction capabilities for environments where introspection is disabled

03Automated identification of sensitive fields, types, and administrative mutations

04Automated discovery of GraphQL endpoints across common deployment paths

050 GitHub stars

06Full schema extraction and visualization via introspection queries

Casos de Uso

01Conducting authorized penetration testing on internal and external GraphQL APIs

02Auditing GraphQL schema configurations for accidental sensitive data exposure

03Validating the effectiveness of API rate limits and query complexity protections

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills performing-graphql-introspection-attack

For use in Claude.ai and ChatGPT

Características Principales

01Security testing for query depth limits, batching attacks, and DoS vulnerabilities

02Schema reconstruction capabilities for environments where introspection is disabled

03Automated identification of sensitive fields, types, and administrative mutations

04Automated discovery of GraphQL endpoints across common deployment paths

050 GitHub stars

06Full schema extraction and visualization via introspection queries

Casos de Uso

01Conducting authorized penetration testing on internal and external GraphQL APIs

02Auditing GraphQL schema configurations for accidental sensitive data exposure

03Validating the effectiveness of API rate limits and query complexity protections

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills performing-graphql-introspection-attack

For use in Claude.ai and ChatGPT