Supporting GraphQL API Calls

GraphQL is an open-source data query language for APIs and an alternative to the RESTful architecture. GraphQL queries not only the properties of one resource like REST API but can follow references between multiple resources and retrieve the required data in a single request. If you would like to learn more on GraphQL you can follow this link.

GraphQL allows to follow references between multiple resources in a single API request, and it is commonly implemented so all API calls are directed to a single endpoint. What differentiates between the API calls is the GraphQL operation which resides in the payload of the request, changes according to the action being taken (e.g. login, checkout, product info) and acts as an identifier for the request's purpose. The GraphQL operation includes a query, which contains the bits of information it's trying to retrieve / modify from the web server.

Looking into risks & potential attack vectors able to exploit GraphQL vulnerabilities, HUMAN has added support to its enforcer which enables visibility to the GraphQL request by looking into the payload and retrieving valuable information, thus ensuring our ability to apply bot detection on GraphQL end points. The ability to extract information from the GraphQL request payload is available on latest enforcer versions and is automatically enabled without any required configuration from your end. For detailed information on more supported features for GraphQL please refer to the Supported Features section in the framework your enforcer is deployed on.