Enterprise security teams have had since 2015 to familiarize themselves with GraphQL API security. But many — if not most — still haven’t captured the security nuances of the popular open-source query language. Simply understanding GraphQL’s processes and vulnerable attack vectors isn’t sufficient; it’s also necessary to recognize exploit attempts and nefarious queries (and trigger actions whenever those threats arise). A complete GraphQL security strategy must also be ready to defeat attacks designed to infiltrate GraphQL specifically. A more generalized API security strategy isn’t going to cut it, as headlines continue to prove.
Security teams likely have either a web application firewall (WAF) performing active application monitoring to detect threats or a comparable in-house solution that leverages access logs to monitor threat behavior. They also likely depend on specific indicators when monitoring for anomalous activity — including HTTP methods and response status codes, sensitive API routes, and API parameters. Keeping an eye on these indicators can identify attacks where clients try to overwhelm a registration endpoint, perform multiple unsuccessful logins, attempt account enumeration, or tamper with key parameters.