The specification states that clients are responsible for specifying what they will consume. Due to this particularity, GraphQL API servers can be abused to deplete servers’ resources. The most popular implementations in different languages were tested and the availability of all of them was compromised. Even before developers start defining their GraphQL schemas, servers’ availability will be vulnerable by default.
Multiple new attack vectors along with complete tool to identify and attack GraphQL API servers will be released to facilitate testing & researching.